Revamping FedRAMP: GSA's cloud security upgrades

GSA's McClure tackles myths about program, lists areas tiger teams are working on

Editor's note: A version of this story was previously published at GCN.com.

Five new tiger teams of representatives from across government are working to improve the Federal Risk Authorization and Management Program (FedRAMP) based on feedback submitted during the public comment process, the General Services Administration’s David McClure told attendees at recent a symposium on high-performance cloud computing in Washington, D.C.

McClure provided a short list of concerns that GSA and government partners are working on to improve FedRAMP and sought to dispel myths about the security accreditation and authorization program designed to vet cloud providers and services. One big myth is that with FedRAMP the government is “blowing up [the Federal Information Security Management Act] and completely redesigning the security approach to the federal government,” McClure said during the symposium sponsored by AFCEA's Bethesda chapter at the Willard InterContinental Hotel.

Instead, FedRAMP’s “focus is to improve the security accreditation process by using an approach that can be vetted and reused across the government,” McClure said. The goal is to implement it once, use it many times and bring some consistency to how this is being done. Hopefully, this also will lower the cost for the security process, he said.

GSA is trying to improve FedRAMP. Out of thousands of comments  submitted, GSA chose these aspects for attention.

1. Too many controls and controls for different risk levels.

The government is working to reduce the number of security controls that will be tested. GSA and others cannot eliminate all controls because many are stringent and necessary to secure government computers. However, the government is trying to differentiate between controls at the low-, medium- and high-risk levels – all of the objectives of FISMA.

2. More guidance on third-party assessors’ independence.

Who assesses the cloud provider? Some service providers pick the organizations that assess them and then provide reports to the government. This is equivalent to someone picking his or her own home improvement inspector whentrying to sell a house, McClure said. There are options such as having government entities do the assessment. The government is exploring a NIST suggestion to come up with a model similar to consumer product testing or the standards health area where there is an accreditation board. This world-class board would have the independence to approve a set of accredited assessors, McClure said.

To read the full version of the article, including the remaining five concerns GSA is addressing, click here.

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.