Let’s talk about one of everyone’s favorite topics: the federal government and all of the data it’s collecting and storing about you and each and every one of the rest of us. OK, so maybe “favorite” isn’t exactly the best word to describe this subject, as the NSA’s PRISM initiative has sort of made this whole thing something most people only love to hate.
In any case, the U.S. government has lots and lots and lots of data. Every government agency needs to store data of some sort on U.S. citizens, just as every business needs to store data on its customers and prospects. There are a plethora of government agencies and branches and even more subdivisions and departments and so on and so forth. Each and every one of them has loads of data, and just like businesses, they’re increasingly looking to store it in cloud data centers.
Since it’s the federal government we’re talking about here, much of the data in question needs to be highly secure. The government has an astounding amount of personal and financial data on each and every one of us, and none of us want that data getting into the wrong hands. We’ve all learned over the past several years that there are many determined parties out there seeking to gain unauthorized access to data, and (unfortunately) many have the means to do so. Countless high-level government and major corporation servers around the globe have been hacked into in recent years.
Enter the Federal Risk and Authorization Management Program, or “FedRAMP” for short. On Thursday, June 5, the deadline for federal agencies and the cloud providers that service them to reach compliancy with this uniform group of safety requirements arrived. The deadline came approximately three years after previous federal Chief Information Officer Vivek Kundra introduced the Cloud First initiative, which was designed to get agencies thinking about cloud data solutions as an option for deploying applications before they considered any other alternatives.
Unfortunately, many agencies have been slow to jump on the FedRAMP bandwagon. But before we delve into the reasons for that, let’s back up a little bit and explore the program itself.
What Is FedRAMP?
Despite what the acronym might lead you to believe, FedRAMP is not a government-mandated handicap ramp program – not that there would be anything wrong with that. The federal government (perhaps somewhat miraculously) has a pretty succinct explanation of what the program is. According to its website, FedRAMP “is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”
That almost sounds like it makes too much sense for the government. Another shocker is that the whole thing is designed to help the various disparate agencies out there work together, just like a functional government should. With the cloud, different government agencies can share the same IT resources to – and we know you’ll like this one – reduce costs and improve efficiency. The government even has a nice little bullet list promoting cloud server benefits to its agencies:
- Rapid elasticity and scalability
- Rapidly provision computing capabilities to quickly increase or decrease computing power as business needs change.
- On-demand self-service
- Quickly purchase comprehensive computing capabilities, such as servers and storage, without requiring human intervention with the provider of each service.
- More energy efficient
- Be free of having to pay for powering and cooling IT centers, which traditionally have large carbon footprints and require strict environmental controls.
- More economical
- Pool computing resources and leverage services that use a “multi-tenant” model.
- Pay per use
- Pay only for the computing capabilities used.
- Universal access
- Access and configure cloud services using the device of choice (laptop, mobile phone, etc.)
Well put, government. We couldn’t have said it better ourselves. In fact, we’ve been saying exactly those kinds of things for years now, and people have been listening. Organizations of all sizes and types have been choosing to go with the cloud, so why shouldn’t the government do the same? With FedRAMP, it should theoretically be able to. The program uses a “do once, use many times” approach to framework that it claims provides cost, time and staffing savings when agencies conduct security assessments.
How Does FedRAMP Work?
If you’re an agency that wants to use cloud deployments, you need to work with FedRAMP-compliant providers. Unless, that is, you’re only going with a private deployment meant for a single organization and plan to implement completely within federal facilities. For everybody else, though, it’s FedRAMP or bust.
The program has several goals. It seeks to expedite cloud penetration throughout the federal government through the reuse of assessments and authorizations meant to boost officials’ confidence levels in cloud security. How exactly does it plan to pull that off, you ask? FedRAMP has requirements in place that were designed to ensure consistent cloud security authorizations through a set of standards and the usage of accredited independent third-party assessment organizations. These measures are meant to bring an increase in automation and an almost real-time level of continuous data monitoring through the use of existing security practices.
Before security can be guaranteed – or at least become as close to guaranteed as any data security can become – the risks must be assessed. As mentioned, cloud computing does many wonderful things, but the government knows that it also brings a number of very real and serious security concerns along with it. Agencies are required to plan and assess potential cloud environments before putting their data into them. Agencies must ask what type of cloud servers will be used; how the data on those servers will be accessed; what each agency’s own security and privacy requirements are; and how the agencies will remain accountable for the privacy and security of the data files and apps once they’re implemented and deployed.
Why Does the Government Need FedRAMP?
Nobody likes unnecessary government programs that cause a lot of red tape and paperwork and end up costing a lot of money. Nobody. The government is pretty convinced that this isn’t one of those types of programs. It believes it needs FedRAMP – but why?
Before the program was introduced, each and every agency managed security risks and provided security assessments and authorizations for each and every information technology system it used all on its own. That…kind of sounds like a mess, and it was. Uncle Sam found that this way of doing things cost a significant amount of money, made for a ton of inconsistencies across agencies and was generally horribly inefficient at actually ensuring security for cloud data.
Threats to cloud data can arise at any moment, and that means any organization that has its data up in the cloud needs to be capable of having a real-time look at what’s going on with the data so that it can squash persistent threats and mitigate risk. FedRAMP brings cross-agency security assessments and authorizations that use a standardized set of safety controls; it uses those third-party assessors mentioned earlier; and it allows for coordinated and consistent monitoring services, which is something that anyone who relies on cloud data should really have.
Stay tuned to this multi-part series of blog posts as we dig deeper into who can become compliant and how, and what exactly is holding it up from happening for all federal agencies.
Image Source: Brightline