The General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) is looking for feedback on a proposed policy update to how it applies Federal cryptography standards to cloud providers.
FedRAMP aims to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal agencies.
The proposed policy update would strengthen FedRAMP by encouraging cloud providers to patch security vulnerabilities as a first priority, consistently use approved cryptography, and focus on securing system components that protect Federal information.
“Critically, our goal is to do these things while driving continued participation with Federal cryptographic certification processes, and use of validated cryptographic modules by Federal agencies,” FedRAMP said in an Aug. 9 blog post.
Agencies that use cryptography to protect Federal information are currently required to meet the standard set by the National Institute of Standards and Technology (NIST), known as the Federal Information Processing Standard (FIPS) 140-3.
FedRAMP said it enforces the requirements of FIPS 140-3 as part of its authorization process, “so that Federal agencies who use authorized cloud providers can have confidence they are using validated cryptography.”
However, FedRAMP said that agencies and cloud providers have made it clear in recent years that they “continue to face difficult security choices when trying to follow these requirements.”
The proposed policy update aims to make it easier to follow these requirements. For example, the proposed update includes specific guidance around patching – something that FedRAMP “needs authorized cloud services to consistently prioritize” to better defend Federal agencies.
“Our proposed policy balances these goals by laying out clear priorities, timelines, and requirements for cloud providers, agencies, and assessors so that they each know how to best maintain their security posture in this and other kinds of challenging situations,” the blog post says.
FedRAMP said it developed the proposed policy update in partnership with NIST, FedRAMP’s Technical Advisory Group, and other stakeholders. Those looking to submit comments on it must do so by Sept. 9.