Revamping FedRAMP: GSA's cloud security upgrades

GSA's McClure tackles myths about program, lists areas tiger teams are working on

Editor's note: A version of this story was previously published at GCN.com.

Five new tiger teams of representatives from across government are working to improve the Federal Risk Authorization and Management Program (FedRAMP) based on feedback submitted during the public comment process, the General Services Administration’s David McClure told attendees at recent a symposium on high-performance cloud computing in Washington, D.C.

McClure provided a short list of concerns that GSA and government partners are working on to improve FedRAMP and sought to dispel myths about the security accreditation and authorization program designed to vet cloud providers and services. One big myth is that with FedRAMP the government is “blowing up [the Federal Information Security Management Act] and completely redesigning the security approach to the federal government,” McClure said during the symposium sponsored by AFCEA's Bethesda chapter at the Willard InterContinental Hotel.

Instead, FedRAMP’s “focus is to improve the security accreditation process by using an approach that can be vetted and reused across the government,” McClure said. The goal is to implement it once, use it many times and bring some consistency to how this is being done. Hopefully, this also will lower the cost for the security process, he said.

GSA is trying to improve FedRAMP. Out of thousands of comments  submitted, GSA chose these aspects for attention.

1. Too many controls and controls for different risk levels.

The government is working to reduce the number of security controls that will be tested. GSA and others cannot eliminate all controls because many are stringent and necessary to secure government computers. However, the government is trying to differentiate between controls at the low-, medium- and high-risk levels – all of the objectives of FISMA.

2. More guidance on third-party assessors’ independence.

Who assesses the cloud provider? Some service providers pick the organizations that assess them and then provide reports to the government. This is equivalent to someone picking his or her own home improvement inspector whentrying to sell a house, McClure said. There are options such as having government entities do the assessment. The government is exploring a NIST suggestion to come up with a model similar to consumer product testing or the standards health area where there is an accreditation board. This world-class board would have the independence to approve a set of accredited assessors, McClure said.

To read the full version of the article, including the remaining five concerns GSA is addressing, click here.

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.