April 18, 2019 by Siobhan Climer and Mishaal Khan
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security for the cloud. Supported by the U.S. government, FedRAMP is a framework on which security assessments, authorizations, and cloud monitoring solutions are built.
Federal Agency cloud deployments must meet the FedRAMP requirements. Compliance ensures security for cloud-based federal data, building trust amongst citizens and consumers alike in an era where data on everyone is everywhere.
Join Mishaal Khan, Mindsight’s Senior Security Solutions Architect, Certified Ethical Hacker, CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester as he lays out the current state of cybersecurity and what specific steps executives can take toward securing the business.
On May 2nd, learn how to prioritize your cybersecurity approach and tackle the low-hanging fruit in your security posture. By understanding the big picture, IT leaders can make informed security decisions that protect their data.
The FedRAMP requirements have evolved beyond the standard NIST baseline controls in NIST SP 800-53 to better address the unique architecture of cloud computing. This risk management program enforced by the federal Cloud First policy was rolled out in 2011.
Unsurprisingly, the federal government’s IT infrastructure is enormous – each agency has its own security mandates and technology needs – and so identifying a standard risk assessment is essential to ensuring consistent security across the federal government.
The FedRAMP provides a framework that 3PAOs – or third-party assessment organizations – can use to ensure that cloud service providers are adequately securing cloud-based data.
Validating the best cloud solution for your business is vital to making the smartest decision. Join Mindsight for our weekly demo days – a (free!) safe demo lab experience that gives you real data on how the solution will perform for your environment.
3PAOs And The JAB
Third-party assessment organizations are an important element of the FedRAMP compliance journey. The 3PAOs perform the security assessments of proposed cloud solutions, and these results are included in the authorization packages for final review by the Joint Authorization Board (JAB), who then either approves or denies the provisional authorization to operate using the proposed cloud solution.
Since each cloud solution is unique – and often intricate – this ensures a consistency in security approach to the cloud for the government. For non-federal agencies, working with a managed services provider to assess the risk of cloud partners is just as important.
FedRAMP And FISMA: Federal Security Regulations
While FISMA (the Federal Information Security Management Act) has been in effect since 2002, cloud computing developments – which only took off after the FISMA regulations were passed – changed security dynamics.
The cloud offers many benefits to data management:
- Backup and Disaster Recovery
At the same time, migrating to the cloud introduced new risks to the protection of agency data, and many agencies were hesitant to utilize this technology for this reason. FedRAMP enables agencies to minimize risk and engage the benefits of cloud computing.
FedRAMP And Federal, State, Local Government
As it stands today, FedRAMP is only applicable to cloud technologies that store, process, or transmit federal information. It is specifically targeted for federal use.
Non-federal government agencies cannot partner with a cloud service provider for FedRAMP authorization. If these non-federal organizations are processing federal information – and many do – it is the responsibility of the federal agency that manages that information to determine FedRAMP authorization requirements.
To find a FedRAMP-certified cloud service offering, non-federal agencies are encouraged to visit the FedRAMP Marketplace or work with their managed service provider to determine how to protect the types of data they are storing in the cloud.
Managing Security In The Cloud
Whether you are a highly-regulated federal agency or a mid-market enterprise, data security in the cloud is essential to building trust and ensuring business continuity.
80% of enterprise organizations and 78% of SMBs will have at least one application in the cloud by the end of 2019. If you are considering migrating an aspect of your business to the cloud – or you already have – ensuring security controls are in place and configured correctly is essential.
Join us by phone or in person for our weekly whiteboard sessions, where we take a one-on-one look at your environment and talk through what you hope to achieve by using the cloud.
Like what you read?
Contact us today to discuss cloud security, FedRAMP, and other data security regulations.
Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly-certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
Contact us at GoMindsight.com.
About The Authors
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.
Siobhan Climer, Science and Technology Writer for Mindsight, writes about technology trends in education, healthcare, and business. She previously taught STEM programs in elementary classrooms and museums, and writes extensively about cybersecurity, disaster recovery, cloud services, backups, data storage, network infrastructure, and the contact center. When she’s not writing tech, she’s writing fantasy, gardening, and exploring the world with her twin two-year old daughters. Find her on twitter @techtalksio.