In an increasingly digitized world where government workers handle sensitive data daily across a wide variety of systems, data security is critical, but hard to achieve. This is especially true for cloud services. For some time now, the Federal Information Security Management Act (FISMA) has mandated that government agencies adopt rigorous cybersecurity practices for their information systems commensurate with the massive risk of harm resulting from unauthorized access or loss of information. Compliance with FISMA (as well as FIPS 200 and NIST SP 800-53) can be complicated for in-house or “on-prem” software, but it’s much more difficult for individual agencies to evaluate cloud security.
What is FedRAMP?
FedRAMP, short for the Federal Risk and Authorization Management Program, provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud services, essentially operationalizing the implementation of FISMA for cloud services. “FedRAMP is FISMA for the Cloud.”
The burden of ensuring cloud service security typically falls on the procurement team to include the necessary security requirements in any eventual contract award, then shifts to the project and program teams, as well as the CIO, to vet the vendor’s compliance and provide them with an authority to operate, or ATO. The process is laborious, expensive, and potentially inconsistent, opening the door to vulnerabilities. This is where FedRAMP comes into play.
FedRAMP aims to save time, cost, and resources by using a “do once, use many times” framework. This means a cloud service provider (CSP) goes through the rigorous FedRAMP approval process just once. Then, once authorized, its services can be used across multiple agencies. This eliminates the need for each agency to conduct its own security assessment for the same CSP, fostering consistency, efficiency, and cost savings.
FedRAMP’s Three Security Levels
FedRAMP categorizes cloud services into three security impact levels, based on the potential damage a data breach could cause, with increasing controls required for each step up in impact level:
- Low impact: Limited adverse effect on work or individuals if there’s a data breach.
- Moderate impact: Serious potential adverse effects. This accounts for about 80% of FedRAMP authorizations.
- High impact: Catastrophic impact on operations or individual privacy if breached.
Recent Developments: FedRAMP in the NDAA
Although agencies have been required to purchase FedRAMP certified cloud services since 2011, compliance has been less than stellar. In 2019, the Government Accountability Office (GAO) reported that even though cloud adoption was increasing, many agencies were still not using FedRAMP for their cloud service procurements. One agency even reported that it was using over 90 individual cloud services that were not FedRAMP approved. But this might be changing.
The National Defense Authorization Act for fiscal year 2023 recently codified FedRAMP, solidifying its role and importance in the federal IT space and implementing a “presumption of adequacy” for existing FedRAMP ATOs so that agencies have more coverage and confidence when relying on vendor FedRAMP certifications.
Today, government workers know better than anyone else why rules and regulations are important. In this case, FISMA is intended to protect our data and computer systems from falling into the wrong hands. But government workers also know all too well how hard it can be to comply with these rules and regulations. By standardizing security assessments and authorizations, FedRAMP provides an easier way to comply. It keeps our data safe, lets us focus on our core tasks, and helps our government operate smoothly in the digital era.
Benjamin Tingo is the Chief Legal Officer and Vice President of Strategic Partnerships at OPEXUS. OPEXUS (formerly AINS) is a DC-based GovTech 100 awardee whose mission is to empower professionals to elevate trust in public institutions through the design, development, and delivery of specialized case management software, including Open Government (FOIA and Correspondence), OIG Audits and Investigations, and Human Resources/Employee Management. Benjamin is a licensed attorney, with nearly twenty years of experience with complex civil and criminal litigation and as in-house GovTech counsel. He is also a member of NARA’s FOIA Advisory Committee and a volunteer firefighter.
Image by Catrin Johnson on Unsplash
Leave a Reply
You must be logged in to post a comment.