"Cybersecurity and FedRAMP: A mandatory Combination." an Article by Gloria Larkin

The fact that cybersecurity is mandatory in the federal marketplace has, until now, been a widely held belief, but without a specific process or policy to guide the federal agencies who are moving to cloud-computing services. This deficit has been corrected with the Federal Risk and Authorization Management Program (FedRAMP).

According to the General Services Administration (GSA), FedRAMP is the result of close collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DoD, NSA, OMB, the Federal CIO Council and its working groups, as well as private industry.

These federal agencies collaborated to develop FedRAMP as a standardized approach to security assessment, authorization and continuous monitoring for cloud-based products and services. In the past, each agency incurred the costs to independently manage its own security risks, assess Information Technology (IT) systems and deploy improvements. This process proved to be inconsistent, duplicative, expensive and inefficient, and often failed to incorporate a focus on real-time threats and identify mitigation processes quickly.

The anticipated agency benefits include reduced costs, standardized security assessments and continuous monitoring, as well as quicker adoption of cloud-based services and products and bottom-line agency confidence in the security of cloud-based systems.

GSA further stated that “FedRAMP is mandatory for federal agency cloud deployments and service models at the low and moderate risk impact levels. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception.”

This is great news if a company is one of the “approved cloud service providers” that can prove that their products and service implement the required security controls needed to meet the security requirements outlined in FedRAMP. The bad news is that if a company is not on the “approved” list, there is little to no chance of seeing business in the federal cybersecurity market.

More information can be found at www.gsa.gov/portal/category/102371.