FedRAMP Modernization Guide Still Contains Gaps, Experts Say
August 19, 2024 – Published on GovInfoSecurity
An eagerly awaited modernization push at the U.S. government’s one-stop shop for security-compliant cloud computing could help scale and revamp the program, though critical gaps may still remain that leave government networks vulnerable to major threats.
A recently-published 21-page modernization guide to the Federal Risk Authorization Management Program addresses some ubiquitous criticisms by allowing vendors to receive credit for aligning with similar security frameworks from the National Institute of Standards and Technology. It also streamlines the accreditation process for suppliers that have already been approved to sell their products to other federal entities.
Program boosters hope these measures will tamp down instances of federal agencies skirting the program. Although putatively an unshakeable requirement in cloud procurement since late 2011, its reputation as a bottleneck means federal technology shops that are pressed by tight production deadlines or a desire for uncertified tech have done their cloud acquisitions elsewhere.
One of the largest remaining potential security gaps is how cloud service providers handle creating separate FedRAMP-compliant versions of their services, according to Jean-Paul Bergeaux, director of sales engineering for the federal sector at GuidePoint Security.
“Most cloud providers create a new instance of their offering on either AWS, Azure or GCP, while their commercial offering has more scale and in some cases is natively hosted on bare metal,” Bergeaux said. “This creates less scale and less resiliency for separate FedRamp instances of commercial offerings.”
Read More HERE.