Mathias Rosenthal - Fotolia
What's the latest update on the FedRAMP certification? A year ago it was still a relatively new standard and there was some concern as to whether or not it would be helpful. How has FedRAMP cloud security compliance played out?
FedRAMP is ramping up! (I'm sorry, I couldn't help myself.) The Federal Risk and Authorization Management Program launched in 2012 with the intent of standardizing security assessments across the federal government. IT managers throughout the government hoped the program would help streamline the process of evaluating and selecting service providers as government agencies moved to adopt cloud computing. Cloud service providers had until June 2014 to submit their applications for FedRAMP certification.
To date, many major service providers, including Amazon Web Services, Microsoft Azure and Oracle have become FedRAMP certified and can now be used by federal government agencies. The adoption of their services by the federal government is one sign of the program's success.
That said, some of FedRAMP's success falls outside its intended sphere of influence. Cloud service providers often cite FedRAMP certification in their sales pitches to private companies, and many security professionals around the world look to this certification as a sign that a cloud provider takes security seriously and is willing to invest the talent and financial resources required to become FedRamp certified.
It's likely that there will be an increased growth of FedRAMP-style certification programs in the private sector as businesses around the world seek to get their arms around the difficult problem of evaluating the security posture of a wide variety of cloud providers. As organizations increase the number of providers they work with, it becomes increasingly difficult to perform assessments independently. As a result, shared certification programs promise to perform more thorough assessments in a more cost-effective manner by sharing the costs across a large number of customers.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out if FedRAMP security controls are really enough
Learn if FedRAMP can influence broader cloud computing standards
Check out this comparison between FedRAMP and FISMA
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading