As state agencies move away from their current legacy cybersecurity systems, they should consider those that provide better modular capabilities. One way to do this is to move to Software as a Service (SaaS) and cloud-based solutions.
To ensure the security aspects of cloud products and services, the Office of Management and Budget (OMB) established the Federal Risk and Authorization Management Program (FedRAMP) in 2011 with the U.S. General Services Administration (GSA) implementing it. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
The objective of FedRAMP is to provide a cost-effective, risk-based approach for the adoption and use of cloud services. This is achieved by standardizing security requirements for the authorization and ongoing cybersecurity assessment of information system cloud services.
FedRAMP is the result of close collaboration with cybersecurity and cloud experts from:
- General Services Administration (GSA)
- National Institute of Standards and Technology (NIST)
- Department of Homeland Security (DHS)
- Department of Defense (DOD)
- National Security Agency (NSA)
- Federal CIO Council and its working groups
- Private industry
Additional information on the FedRAMP governance can be found here.
Agencies or cloud service providers (CSPs) initiate the FedRAMP assessment process by beginning a security authorization that fulfill FedRAMP requirements. These requirements are Federal Information Security Management Act (FISMA) compliant and based on the NIST 800-53 rev3. Then the organization initiates work with the FedRAMP project management office.
- Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
- Increase confidence in the security of cloud solutions
- Achieve consistent security authorizations using a baseline set of agreed-upon standards to be used for Cloud product approval in or outside of FedRAMP
- Ensure consistent application of existing security practices
- Increase confidence in security assessments
- Increase automation and near real-time data for continuous monitoring
- Increases re-use of existing security assessments across agencies
- Saves significant cost, time and resources
- Improves real-time security visibility
- Provides a uniform approach to risk-based management
- Enhances transparency between government and CSPs
- Improves the trustworthiness, reliability, consistency, and quality of the Federal security authorization process
If your organization is using cloud technologies that store, process, or transmit Federal information, then you are required to implement FedRAMP security initiatives.
Currently, netlogx is providing our client guidance to identify where FedRAMP may be required when implementing cloud-based services. For more information, contact us.