Cloud Security , Security Operations

FedRAMP Modernization Guide Still Contains Gaps, Expert Says

Expert Says Agencies Can Still Avoid FedRAMP Requirements Despite New Guidance
FedRAMP Modernization Guide Still Contains Gaps, Expert Says
FedRAMP aims to scale and streamline the program for federal agencies with a long-anticipated modernization guide. (Image: Shutterstock)

An eagerly awaited modernization push at the U.S. government's one-stop shop for security-compliant cloud computing could help scale and revamp the program, though critical gaps may still remain that leave government networks vulnerable to major threats.

See Also: OnDemand | Defending the Cloud: Essential Strategies for Cyber Resilience

A recently-published 21-page modernization guide to the Federal Risk Authorization Management Program addresses some ubiquitous criticisms by allowing vendors to receive credit for aligning with similar security frameworks from the National Institute of Standards and Technology. It also streamlines the accreditation process for suppliers that have already been approved to sell their products to other federal entities.

The guidance also pledges the government will establish an automated process for the intake and evaluation of routine security assessments. It calls for machine-readable security documentation and continuous monitoring data to help "reduce the burden on program participants and increase the speed of implementing cloud solutions in a timely manner."

FedRAMP has been steadily aiming to increase the speed and scale at which agencies are adopting emerging technologies and modern tech solutions. The program released a framework in July that prioritizes the most critical cloud-relevant emerging tech for FedRAMP approval, which allows cloud service providers and other companies to offer their products and services to federal agencies while ensuring they meet rigorous security requirements and can be trusted to handle sensitive government data (see: FedRAMP Launches New Framework for Emerging Technologies).

Program boosters hope these measures will tamp down instances of federal agencies skirting the program. Although putatively an unshakeable requirement in cloud procurement since late 2011, its reputation as a bottleneck means federal technology shops that are pressed by tight production deadlines or a desire for uncertified tech have done their cloud acquisitions elsewhere.

FedRAMP has "about 300 offerings in a market of thousands - because it is cumbersome, costly and time-consuming," said Chris Hughes, co-founder and CISO of Aquia and the former General Service Administration technical representative for FedRAMP's Joint Authorization Board.

One of the largest remaining potential security gaps is how cloud service providers handle creating separate FedRAMP-compliant versions of their services, according to Jean-Paul Bergeaux, director of sales engineering for the federal sector at GuidePoint Security.

"Most cloud providers create a new instance of their offering on either AWS, Azure or GCP, while their commercial offering has more scale and in some cases is natively hosted on bare metal," Bergeaux said. "This creates less scale and less resiliency for separate FedRamp instances of commercial offerings."

Bergeaux said the Office of Management and Budget's decision to appoint an inaugural FedRAMP board could provide transparency to the streamlined process and "should help improve the level of security of the authorized products in the FedRamp marketplace over time."

Experts told Information Security Media Group that agencies prefer FedRAMP marketplace technologies because the General Services Administration assumes a significant portion of the risk associated with the security of those technologies. But critics have long called for FedRAMP to speed up the approval process and make it easier for secure tech offerings to be introduced to the market.

"Currently, the high barrier to entry limits competition and narrows the options available to federal agencies, often resulting in a reliance on legacy technology," Alex Kreilein, vice president of product security at Qualys, said in a June blog post.

Inspector General reports in recent years show that federal agencies such as the Department of Veterans Affairs have granted security authorizations for applications that were not FedRAMP-approved and failed to meet the program's requirements.

A February report from the Department of Interior watchdog says the agency "did not ensure that bureaus purchased services using procurement contracts and from FedRAMP-approved CSPs."

The modernization guide does not address many of the issues that allow agencies to bypass FedRAMP requirements, but enforcement challenges likely extend beyond the scope of the program and its authorities, Hughes said. He said agencies such as the Cybersecurity and Infrastructure Security Agency or the Department of Homeland Security "may be better suited" to address ongoing security and compliance issues.

"FedRAMP is looking to improve how much it costs, a lack of automation and some other bottlenecks," Hughes told ISMG. "They may not be on the hook to solve everything."


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.