FedRAMP, or the Federal Risk and Authorization Management Program, is a standardized approach to security assessment, authorization, and monitoring for cloud applications. It was created by the U.S. General Services Administration in response to growing government usage of the cloud, which has obvious benefits at many levels of operation and operational support but produces many challenges from the cybersecurity perspective.

Cloud computers more or less face the same threat vectors posed to traditional IT systems: bypassing firewalls, remote shellcode attacks, social engineering, spear phishing campaigns, and more. In addition, though, the cloud poses numerous other security risks.

Cloud services are often run via Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) providers, which means that numerous clients (or, in this case, agencies) all have their applications running on the same physical server. If cloud applications are not properly isolated, then a hacker can break into agency A’s application and from there break into agency B’s database. One agency’s vulnerability would directly impact that of another; it’s a dangerous effect, particularly as federal agencies increasingly share systems and information.

In the face of these complex risks, FedRAMP aims for cohesion and simplicity. By following the framework, federal agencies can secure their cloud beginning at the policy level and working their way down to the operational, technical, and human tiers. And since FedRAMP’s developers also collaborated with the National Institute of Standards and Technology, the U.S. Department of Defense, and the U.S. Department of Homeland Security, the standards can be used in a breadth of federal cloud environments.

Further, the financial savings of this utility are quite considerable, and the cost of the program itself is also going down.

Security Baselines

FedRAMP offers four security baselines that agencies can use to approximate risk:

  1. High (Read more...)