FedRAMP high is coming soon

Shutterstock image:  cloud computing enabling numerous applications.

The next few months will be busy for the Federal Risk and Authorization Management Program as it launches its high baseline standards, issues new requirements for third-party assessment organizations and spreads the cloud security gospel, FedRAMP Director Matt Goodrich said at the Advanced Technology Academic Research Center's cloud summit on Jan. 13.

More than a year in the making, "FedRAMP high" has been subject to public comment from various stakeholders. With no major changes proposed to the latest draft, the high-security baseline should be published in its final form by February or March, Goodrich said, with requirements for third-party assessment organizations coming at the end of February.

Goodrich stressed the importance of working closely with agencies on the new baseline. FedRAMP's "agency evangelist" Ashley Mahan will embark on an agency-by-agency tour in the coming months to ensure that the program is working and that every agency has a dedicated FedRAMP person. Officials will also be seeking "customer journey" stories from agencies.

In addition, they will try to procure an automated review process by partnering with another General Services Administration outfit, 18F. And Goodrich said he plans to use 18F's micro-purchase reverse auctions to solicit Python developers for the project.

The future of cloud

Agriculture Department CIO Jonathan Alboum was one of many agency leaders who talked about trust in the cloud at the ATARC event.

"I wouldn't say that we're a cloud broker yet," he said, explaining the dual cloud adviser/provider role USDA is trying to embrace for its agencies. "That's the direction that we have to go."

Part of the advisory role will involve promoting trust.

"The real challenge for us is being able to keep up," he said of USDA's homegrown cloud operation, noting that companies such as Amazon and Google dwarf USDA's research and development spending. "It's going to be very difficult for an organization like ours to ever keep up."

Such imbalances motivate Air Force CTO Frank Konieczny to eschew USDA's approach.

"We're kind of different," Konieczny said. "We want to get out of the business. We don't want to manage anything." He added that he'd rather buy private-sector expertise than devote scarce personnel to cloud problems.

Other participants called for contracting changes.

"If you have to pay for everything in advance before you use it, it's pretty much impossible to take advantage of [cloud's dynamic potential]," said International Trade Administration CIO Joe Paiva, who advocated having agencies buy cloud services through bigger contracts.

In a post-event discussion with FCW, two USDA officials pointed to GSA's recent blanket purchase agreement as a promising example of such a contract.

Paiva also touted the potential security of the cloud.

"Every time we get breached, it's like 'Groundhog Day,'" Paiva said. Attackers send infected email messages to gain initial entry, hang around to nab administrative credentials and then move laterally through a network. "Using two-factor authentication doesn't fix that. Virtualizing the environment doesn't fix that."

The real fix is having everything in the cloud. "If you have no network, no one can move laterally in your network," Paiva said.

He also issued a call for agencies to stop creating their own tools and instead rely on well-designed, off-the-shelf offerings.

"He's trying to pick a fight with me," U.S. Citizenship and Immigration Services CIO Mark Schwartz said. "The problem is your [software-as-a-service] application is not going to exactly meet your needs, and you're going to customize it." That customization, he argued, can introduce more security flaws than would have existed in applications that were custom-coded from the start.

About the Author

Zach Noble is a former FCW staff writer.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected