What the Recent Memo on FedRAMP Modernization Means for Agencies

Scaling the program and strengthening security reviews to accelerate cloud adoption are all part of the plan.

LISTEN

Your browser doesn’t support HTML5 audio

Cloud vendors support the White House’s proposed updates to the Federal Risk and Authorization Management Program as essential to its modernization.

The updates would scale the program, strengthen its security review process, and expedite agencies’ adoption of cloud products and services.

FedRAMP empowers agencies to securely use modern cloud technologies, and the White House released a draft memo Oct. 27 outlining desired changes to the program’s vision, scope and structure.

“The memo signals that the White House is committed to increasing the use of cloud-based solutions in government,” says Shannon Kellogg, vice president of public policy for Amazon Web Services. “It builds on a decade of policy that acknowledges that cloud solutions have the potential to accelerate innovation for federal agencies.”

Click the banner below to learn more about optimizing your cloud connection.

The FedRAMP Memo Aims to Hasten Cloud Adoption

The memo’s forward-thinking approach “will offer the government the innovation and rapid feature development of a true commercial cloud” to speed up agencies’ cloud adoption, says Leigh Palmer, public sector vice president at Google.

Rather than have cloud providers create separate infrastructure and solutions for federal use, the memo proposes incentivizing them to give agencies access to the same tools available to everyone else.

The White House further suggests expanding the FedRAMP marketplace by offering multiple authorization structures.

A single-agency authorization would indicate that one agency has assessed a cloud service’s security posture and found it acceptable. A joint-agency authorization, signed by officials from two or more agencies, would enable those with similar needs to work together to acquire cloud products or services, according to the memo.

Further still, a program authorization, signed by the FedRAMP director, would allow multiple agencies to use a cloud product or service, even in cases where an agency sponsor hasn’t been identified. All these channels could make the cloud more readily available across government.

READ MORE: Interest in software-defined WAN could lead more agencies to use FedRAMP.

Implementing a Stronger FedRAMP Security Review

The memo also proposes revamping the FedRAMP security review with “an automated process for the intake and use of industry standard security assessments and reviews.” Automation “will reduce the burden on program participants and increase the speed of implementing cloud solutions in a timely manner,” the memo states.

“These efforts not only reduce the time and cost of approvals, but most importantly they make it easier to deliver the industry’s best cloud security solutions,” says Richard Breakiron, senior director of strategic initiatives for the Americas public sector at Commvault.

To bolster security outcomes, the memo calls for the FedRAMP review process to “consistently assess and validate the core security claims made by a cloud provider.” That includes reviewing documentation and opens the door to red team assessments of the cloud provider at any point during or after the authorization process.

This continuous monitoring “should incentivize security through agility, and should enable federal agencies to use the most current and innovative cloud products and services possible,” the memo states.