Agencies' needs could imperil FedRAMP

The highly touted Federal Risk Authorization Management Program (FedRAMP), and programs like it, depend on maintaining standards. In FedRAMP's case, it's a standardized approach to the security authorization process for cloud products and services.

But not all agencies fit neatly into the standardized approach, some industry observers told a Washington audience on Jan. 19. They have individual compliance needs and modification requirements that can undermine an effort to apply standards.

One of the challenges of a program like FedRAMP “is most government agencies don’t take a bare-minimum, standards approach for most things they do,” said Henry Fleischmann, Hewlett-Packard’s chief technologist for federal cloud solutions.

For example, when agency managers are presented with a "cloud-in the-box," they often want to know if it can work with an older legacy system, in a heterogeneous environment, with all of their different vendors and in many different security zones, Fleischmann said.

“This is the challenge,” he said. “Putting standards out there is good, but agencies will still maintain their own stacks of compliance and the way they do business that might break some of the standardization,” Fleischmann said during a panel discussion at a conference on government cloud security presented by GTSI and Federal Computer Week.

Government managers need to examine the value proposition of the cloud, noted Ira “Gus” Hunt, chief technology officer for the CIA, who moderated the panel.

That value proposition stipulates ruthless standardization and automation so processes can be repeated over and over again. “But if government is coming in and saying, ‘Nice, but modify it especially for me,’ then you lose all of the value proposition,” Hunt said.

The government released security control baselines on Jan. 6 that have been agreed upon by federal agencies and approved by the FedRAMP Joint Authorization Board that address the elements of authorizing cloud products and services. These include factors such as multitenancy, control of an infrastructure and shared resource pooling. FedRAMP security controls align with the National Institute of Standards and Technology Special Publication 800-53, Revision 3, for low- and moderate-impact systems.

“Agencies should dig into the FedRAMP controls” and understand how the controls align with their agency’s security requirements, said Scott Armstrong, who directs Symantec’s public-sector business development, cybersecurity and cloud initiatives.

The FedRAMP Joint Authorization Board can allow agencies to increase or modify security controls when it is necessary, he said. Additionally, cloud providers’ products and services will have to be accredited by a third-party organization, so rather than an agency having to trust another agency’s processes, there will be a trusted third party that should provide guarantees that controls have been met and implemented.

Katie Lewin, director of cloud computing for the General Services Administration’s Office of Citizen Services and Innovative Technologies, picked up on theme of modifying controls and third-party accreditation firms vetting cloud providers in another panel discussion moderated by Chris Dorobek of

Baseline security controls might be adequate, but agencies can add additional controls that are specific to their security profile.

Agencies will take the baseline security controls as a starting point to issue an authority to operate a cloud provider’s services. “You can add controls to the FedRAMP baseline for your specific instance of whatever kind of [cloud] service you are using,” she said about agencies seeking to vet cloud products and services.

GSA and partner agencies are working on building capacity for controls related to continuous monitoring of cloud services within FedRAMP. “So when we come out with [FedRAMP’s] initial operating capability in June there will be three to nine controls that will [address] automated continuous monitoring. Agencies will have to harness these controls, so cloud providers can report on security instances in a continuous way, Lewin noted.

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.