FedRAMP: the gold standard for CSP security

October 10, 2019

On retail websites, an SSL (secure sockets layer) certificate symbol signals to consumers that the credit card data they input will be encrypted during delivery to the retailer.

Similarly, certification under the Federal Risk and Authorization Management Program (FedRAMP) provides an attestation of quality concerning the security of cloud service providers (CSPs).

But unlike SSL, which is a minimum and norm for online shopping security, FedRAMP is a gold standard for CSP security.

FedRAMP was created around 2011 as a risk management program to determine whether cloud products and services are secure enough to hold sensitive information from federal agencies. The program ensures that the cloud service provider meets all legally-mandated federal security measures before receiving a government contract.

But the private sector and other organizations also use the program to evaluate cloud service providers’ standards for and commitment to cybersecurity.

Not only does the program open the door to lucrative government contracts, it also can help commercial companies reduce risk as they transition to the cloud. Companies face intense competitive pressure to move information to the cloud while at the same time, witnessing its pitfalls splattered across news headlines about data breaches.

FedRAMP- authorized cloud solutions bring a greater peace of mind that their businesses have security controls as well fortified as in-house government agencies and other vital federal agencies.

The certification covers more than 5 million assets of the world’s largest cloud providers and one-third of the world’s internet traffic, according to FedRAMP’s website.

Yet, out of some 17,000 cloud applications on the market, only about 300 have obtained the authorization. Only a limited number of those are available on the commercial market, wrote Daniel Kent, chief technology officer for Cisco Systems Public Sector organization, in a June post on DARK Reading, an online community for security professionals.

All of the big-name cloud service providers, such as Amazon, IBM and Microsoft, are FedRAMP authorized. But small and midsize organizations are also joining the fold. They come from a variety of industries, including healthcare, insurance, utilities, banking and eDiscovery solutions providers such as Innovative Discovery.

The fact that only about 80 cloud service providers have achieved the certification is a testament to its rigor, noted Matthew Milone, federal operations director at Complete Discover Source, in a 2018 post on the company’s website.

The program demands security controls that exceed the baseline criteria from the National Institute of Standards and Technology (NIST) Publication 800-171. Additionally, it requires a third-party assessment organization to certify that the security controls comply with federal rules concerning security assessment, authorization, and continuous monitoring.

These assessment organizations must be accredited by the American Association for Laboratory Accreditation (A2LA) and demonstrate independence and technical competence to test and report on security systems, as noted in the R311 – Specific Requirements: Federal Risk and Authorization Management Program (FedRAMP) document found here.

“So, why should commercial organizations pay attention to FedRAMP?” Kent asked in his DARK Reading post.

“The answer is trust and confidence,” Kent said.

Next Post