The federal government recognized the potential for cloud solutions to make agencies’ operations more flexible and cost-effective as far back as the 1990s. However, to implement such solutions on a wide scale, it would need an efficient way to ensure that cloud service providers were meeting security standards. It was from this line of thinking that the The Federal Risk and Authorization Management Program — or FedRAMP — was born.
FedRAMP, which is aimed at ensuring cloud services’ security compliance, offers a single process for assessment, authorization and monitoring. Its accreditation is a must for any cloud service provider wishing to do business with a federal agency.
However, even though it achieved a cohesive, single-source method for cloud security authorization, FedRAMP was not implemented without drawbacks. Many cloud service providers have found themselves hopelessly confused by the standards for certification. And FedRAMP has remained diligent in making improvements to its processes, streamlining wherever possible.
In September 2017, for instance, the program released FedRAMP Tailored policy, which offers a streamlined authorization process to lower-risk cloud services. And in November, the FedRAMP Playbook was introduced, giving agencies guidance for collaborating closely with communication service providers.
Going forward in 2018, the program plans to make even more changes, this time focusing on continuous monitoring capabilities.
After an authorization of a cloud service, FedRAMP, along with the CSP and contracting agency, need to conduct continuous monitoring on an ongoing basis. According to FedRAMP Director Matt Goodrich, the program currently spends about 75% of its security budget on monitoring, and it would like that to change drastically. As such, it currently is considering alternatives to internal monitoring processes, as well as automation capabilities.
For CSPs and agencies, FedRAMP’s attempt to improve monitoring capabilities is a potential perk. Once the program is able to free up the resources it would have spent on monitoring, it will be able to focus, to a greater extent, on authorizing more CSPs and broadening the options for agencies looking to contract cloud services.