FedRAMP high is coming soon

Shutterstock image:  cloud computing enabling numerous applications.

The next few months will be busy for the Federal Risk and Authorization Management Program as it launches its high baseline standards, issues new requirements for third-party assessment organizations and spreads the cloud security gospel, FedRAMP Director Matt Goodrich said at the Advanced Technology Academic Research Center's cloud summit on Jan. 13.

More than a year in the making, "FedRAMP high" has been subject to public comment from various stakeholders. With no major changes proposed to the latest draft, the high-security baseline should be published in its final form by February or March, Goodrich said, with requirements for third-party assessment organizations coming at the end of February.

Goodrich stressed the importance of working closely with agencies on the new baseline. FedRAMP's "agency evangelist" Ashley Mahan will embark on an agency-by-agency tour in the coming months to ensure that the program is working and that every agency has a dedicated FedRAMP person. Officials will also be seeking "customer journey" stories from agencies.

In addition, they will try to procure an automated review process by partnering with another General Services Administration outfit, 18F. And Goodrich said he plans to use 18F's micro-purchase reverse auctions to solicit Python developers for the project.

The future of cloud

Agriculture Department CIO Jonathan Alboum was one of many agency leaders who talked about trust in the cloud at the ATARC event.

"I wouldn't say that we're a cloud broker yet," he said, explaining the dual cloud adviser/provider role USDA is trying to embrace for its agencies. "That's the direction that we have to go."

Part of the advisory role will involve promoting trust.

"The real challenge for us is being able to keep up," he said of USDA's homegrown cloud operation, noting that companies such as Amazon and Google dwarf USDA's research and development spending. "It's going to be very difficult for an organization like ours to ever keep up."

Such imbalances motivate Air Force CTO Frank Konieczny to eschew USDA's approach.

"We're kind of different," Konieczny said. "We want to get out of the business. We don't want to manage anything." He added that he'd rather buy private-sector expertise than devote scarce personnel to cloud problems.

Other participants called for contracting changes.

"If you have to pay for everything in advance before you use it, it's pretty much impossible to take advantage of [cloud's dynamic potential]," said International Trade Administration CIO Joe Paiva, who advocated having agencies buy cloud services through bigger contracts.

In a post-event discussion with FCW, two USDA officials pointed to GSA's recent blanket purchase agreement as a promising example of such a contract.

Paiva also touted the potential security of the cloud.

"Every time we get breached, it's like 'Groundhog Day,'" Paiva said. Attackers send infected email messages to gain initial entry, hang around to nab administrative credentials and then move laterally through a network. "Using two-factor authentication doesn't fix that. Virtualizing the environment doesn't fix that."

The real fix is having everything in the cloud. "If you have no network, no one can move laterally in your network," Paiva said.

He also issued a call for agencies to stop creating their own tools and instead rely on well-designed, off-the-shelf offerings.

"He's trying to pick a fight with me," U.S. Citizenship and Immigration Services CIO Mark Schwartz said. "The problem is your [software-as-a-service] application is not going to exactly meet your needs, and you're going to customize it." That customization, he argued, can introduce more security flaws than would have existed in applications that were custom-coded from the start.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.