Monday, September 28, 2015
GSA is now into its 5th year of overseeing the Federal Risk and Authorization Management Program, which GSA’s website describes as “a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monit

co-authored by guest blogger Andras Szakal, Vice President and CTO, US Federal, IBM Benefits from FedRAMP FedRAMP has made great strides in operationalizing the federal security C&A process. FedRAMP brings commercial best practices standardization of the process for cloud security, and does across agencies in a way that also provides consistency across the entire federal government. Agencies can recognize the C&A/certification and obtain an Authority to Operate (ATO) for a cloud solution that another agency has provided, or that has been completed based on a review by the “Joint Authorizing Board” (JAB). This process has created significant improvements in the marketplace for cloud services in government, as detailed in a prior blog post. The FedRAMP process is leading to more secure software production across industry. FedRAMP (along with the European Union ISO requirements) is pushing commercial providers to integrate security compliance into end to end development, deployment and devOps practices. For example, automated tooling helps product teams understand and develop FedRamp packages, automated processes for continuous monitoring within devOps processes promote consistency in Federal and commercial environments. FedRAMP goes mobile Over the past several years, cloud-based infrastructure has enabled a significant expansion in the number and quality of mobile applications, available to users on any device at any time. The Government has followed this technology trail; agencies industry are working together to enable citizens, small business, and other stakeholders with flexibility to access easy-to-use and cost-effective pathways to receive information and services over mobile devices. Providing for security in developing and implementing these pathways is key to long-term sustainability in this space for government, as is the case for industry. Accordingly, FedRAMP has come into the mobile world, and this is paying benefits for government. FedRAMP reviews of cloud-based mobile solutions are linking mobile technologies with cloud capabilities in a secure manner; in turn, FedRAMP’s progress can drive the government to provide significantly enhanced services at greater speed, more focused on the needs of the user, and at lower cost. Strategies to address strong mobile security in the cloud bring numerous benefits: Managing devices securely, Enforcing policies associated with these devices. Integrating multiple devices under a single set of security and usage policies. Support for continuous monitoring Reduction in the threat from single compromised devices by quickly identifying risks and removing them from the network. Ideas for Continued Improvement Looking forward, FedRAMP may wish to consider as areas for continued improvement, including: Lowering ATO process costs. Agencies must still provide C&A and ATO for each system, even if relying on a FedRAMP evaluation. GSA could consider ways to empower the agency to ensure they can embrace secure these cloud market requirements while accelerating the decision making process. GSA could assist agencies with developing repeatable processes and a framework for adaptation, recognizing that each agency has a unique culture and governance process and will have to tailor such a framework accordingly. In the mobility area, to protect privacy, FedRAMP can promote mobile cloud solutions that do not store any personal, private or company confidential information in the cloud.