FedRAMP, the program designed to make it easier for agencies to comply with federal mandates to move to the cloud through the standardization of assessment of cloud technologies, is working on taking the next step – high security. The FedRAMP High baseline is already being piloted in the DoD and DHS, two agencies which demand more stringent data and cloud security than other federal agencies. The requirements and standards for cloud solutions to qualify for Level 5 security are expected to be finalized in the next few months. The High Baseline standard aims to protect data that’s sensitive, but not sensitive enough to be named “classified.”
The addition of the high classification for FedRAMP certified clouds creates an opportunity to expand another government-wide security initiative, Continuous Diagnostic Monitoring (CDM). This program, initiated by the Department of Homeland Security, is designed to monitor agency networks internally for vulnerabilities that could be exploited by bad actors who have breached the agency’s cyber perimeter. Before now, FedRAMP and CDM were seemingly unrelated programs, but with the recent High standard for FedRAMP, the two are becoming more closely interwoven to help agencies meet increased security demands as well as drive the secure adoption of the cloud. DHS, the agency behind CDM, announced that they intend to start conducting CDM in the cloud with smaller agencies first, offering them the ability to better manage cybersecurity controls, privileged users, and authentication requirements. By letting smaller agencies regulate their cloud security protocols with the CDM program, DHS is aiding in the development of better management guidelines to prevent future breaches. In sum, applying the controls and mission of CDM to the FedRAMP program will help protect sensitive and vulnerable data from threats with tools designed especially for cloud security.
But what will this relationship between FedRAMP high and CDM really mean for agencies who are asked to adopt it? Joe Paiva, International Trade Administration CIO, discussed how the cloud could serve as a solution to ongoing security challenges. He stated that, “every time we [International Trade Administration] get breached, it’s like ‘Groundhog Day’. Attackers send infected email messages to gain initial entry, hang around to nab administrative credentials, and then move laterally through a network. Using two-factor authentication doesn’t fix that. Virtualizing the environment doesn’t fix that. If you have no network, no one can move laterally in your network.” But with the implementation of full control in the cloud with FedRAMP high certified products and the integration of continuous monitoring via CDM, federal IT leaders can worry less about the safety of their network and data and focus more on working to achieve their agency’s mission.