FedRAMP likely to experience significant changes in coming years
The federal government is, by this point, fully on board with the concept of cloud computing. Most notably, the Cloud First directive requires agencies to look at cloud options before considering on-premise, legacy solutions whenever they aim to add a new IT service. Beyond this, though, numerous federal departments have embraced cloud services in a wide range of capacities, going well beyond the bare minimum needed to achieve compliance. Government leaders at every level now recognize the value that cloud computing can offer and are eager to take advantage.
One of the few real impediments to even broader cloud integration is security. While cloud-related security concerns are far less pronounced today than they were just a few years ago, they remain an obstacle. The Federal Risk and Authorization Management Program, better known as FedRAMP, has played a valuable role in this capacity over the past couple of years, making it easier for federal agencies to confidently embrace cloud solutions that have met sufficient security standards.
The news source pointed out that for all the good it's done, there are a number of problems associated with FedRAMP as it stands today. Most notably, only 12 cloud service providers have received provision authority from the Joint Authorization Board. This significantly limits agency options when they strive to advance their cloud integration efforts.
There are a number of cloud service providers that have applied to receive FedRAMP approval, FCW noted. However, for a variety of reasons, these applications have yet to advance to the final stages of the process. These reasons include an insufficient number of third-party assessment organizations that can perform needed official evaluations, according to the source.
Additionally, there are certain limitations to FedRAMP standards in their current form. Perhaps most notably, these guidelines do not fully address the evolving, expanding cybersecurity threats that federal agencies now face and will need to grapple with in the coming years to ensure the safety and security of their data.
However, this may not be the case for much longer. The news source reported that the FedRAMP Program Management Office recently issued its latest update to FedRAMP standards. Among other changes, these new standards require federal cloud service vendors to provide continuous monitoring.
This is a key development. The cybersecurity landscape is constantly evolving, making it difficult – or even impossible – for static defensive measures to effectively halt external threats. One of the best means of minimizing the threat posed by increasingly sophisticated and dangerous cyberattackers is continuous monitoring. When handled correctly, this ensures that the vendor can react as soon as any type of anomalous or suspicious activity is detected, limiting the damage that such attacks will cause.
While the news source noted that these new standards may further complicate and slow down the FedRAMP approval process, it is fair to conclude that these side effects are worthwhile, especially in light of the numerous recent data breaches affecting federal agencies – including the White House and State Department. Clearly, the federal government needs to improve its data protection efforts across the board. As cloud services grow in prominence, this will become a key area for cybersecurity measures. Incorporating continuous monitoring into FedRAMP standards is a move in this direction. In the coming years, the program will likely continue to demand stricter security requirements for qualifying vendors.
To more fully protect themselves, agencies should also aim to go beyond FedRAMP's requirements, seeking out cloud services that have achieved even greater cybersecurity capabilities. A third-party cloud integration firm can help tremendously in such a search.