FedRAMP is intended to get cloud-service providers (CSP) that serve government agencies accredited for specific security practices over the next two years. Although no CSP is yet certified, according to Chris Simpson, CEO at consultancy Bright Moon Security, who spoke on the topic at the CSA Congress this week, the goal is to get CSPs on board by assuring through third-party assessments that their cloud environments conform to specific security guidelines.
These include practices for incident response in the cloud, forensics in a highly dynamic environment, threat detection and analysis in a multi-tenant environment, and continuous monitoring for remediation, among other things. One FedRAMP idea is that service providers must be prepared to report security incidents of many types to the U.S. CERT and the government agency that might be impacted. The agency would also be reporting to US CERT as well, said Simpson.
If CSPs can't meet the FEDRAMP guidelines, they won't be able to provide services to government agencies, said Simpson. Once certified in FedRAMP though, they'll have a path to contracting for all federal agencies. But if a security incident or data breach occurs that is seen as negligence, that might be cause "to pull that authorization," Simpson concluded.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org.