Federal agencies are leveraging past work on authorizations to operate (ATO) to bring in more cloud tools covered by the Federal Risk Authorization Management Program (FedRAMP) during the COVID-19 pandemic, said Brian Conrad, FedRAMP Cybersecurity Program Manager.
Speaking on November 20 at GovernmentCIO Media’s Cloud Summit event, Conrad noted that the variety of FedRAMP-approved services gave agencies a lot of options to use during the government’s large-scale move to telework this year.
“We keep track of the number of authorized cloud services that are reused across the government, and as you can imagine, this year that number skyrocketed,” he said. “Through FedRAMP, we enable the Federal government to accelerate the adoption of cloud computing by creating those transparent security standards,” he added.
When it comes to new policy for cloud security, Conrad discussed the need for the program to accommodate various situations across government, and the need for agencies to look at their own requirements. The same applies for policy applying to commercial offerings, and ensuring that security is maintained in a broad range of services.
“The challenge with writing policy for FedRAMP is that we have to understand the entire landscape … akin to guardrails on a road,” he noted. “We have to keep our policy and guidance broad enough to fit anybody from industry who wants to come into FedRAMP,” he added.
Conrad also discussed the work that goes into ensuring that authorized services keep up their cyber posture, with ongoing review of commercial offerings.
“The ongoing assessment is done through our continuous monitoring, through the annual assessments and also through the evaluation of significant changes that cloud service providers make quite frequently,” Conrad explained.
He also noted that agencies need to understand their responsibility in securing the cloud environment, with the FedRAMP program working to improve understanding through outreach.
“One of the biggest challenges is understanding that cloud is a shared security model. When a cloud service offering gets a FedRAMP authorization, it’s getting a stamp of approval that it meets certain requirements … but when agencies use these authorized cloud services, they have responsibilities as well.”