The FedRAMP Memo Aims to Hasten Cloud Adoption

The memo’s forward-thinking approach “will offer the government the innovation and rapid feature development of a true commercial cloud” to speed up agencies’ cloud adoption, says Leigh Palmer, public sector vice president at Google.

Rather than have cloud providers create separate infrastructure and solutions for federal use, the memo proposes incentivizing them to give agencies access to the same tools available to everyone else.

The White House further suggests expanding the FedRAMP marketplace by offering multiple authorization structures.

A single-agency authorization would indicate that one agency has assessed a cloud service’s security posture and found it acceptable. A joint-agency authorization, signed by officials from two or more agencies, would enable those with similar needs to work together to acquire cloud products or services, according to the memo.

Further still, a program authorization, signed by the FedRAMP director, would allow multiple agencies to use a cloud product or service, even in cases where an agency sponsor hasn’t been identified. All these channels could make the cloud more readily available across government.

READ MORE: Interest in software-defined WAN could lead more agencies to use FedRAMP.

Implementing a Stronger FedRAMP Security Review

The memo also proposes revamping the FedRAMP security review with “an automated process for the intake and use of industry standard security assessments and reviews.” Automation “will reduce the burden on program participants and increase the speed of implementing cloud solutions in a timely manner,” the memo states.

“These efforts not only reduce the time and cost of approvals, but most importantly they make it easier to deliver the industry’s best cloud security solutions,” says Richard Breakiron, senior director of strategic initiatives for the Americas public sector at Commvault.

To bolster security outcomes, the memo calls for the FedRAMP review process to “consistently assess and validate the core security claims made by a cloud provider.” That includes reviewing documentation and opens the door to red team assessments of the cloud provider at any point during or after the authorization process.

This continuous monitoring “should incentivize security through agility, and should enable federal agencies to use the most current and innovative cloud products and services possible,” the memo states.


By admin