FedRAMP Is Too Complicated, Not Secure Enough: Survey

...

With savvy cybercriminals using vulnerabilities in apps, networks, and operating systems to gain c

The FedRAMP standard for federal agency use of cloud services has too many complications in its operations and lacks the assurance of security, according to the results of a MeriTalk survey.

The Federal Risk and Authorization Management Program (FedRAMP), meant to ensure secure federal government cloud use, isn't adding the security it was intended to provide. Its complicated procedures are sometimes keeping it from living up to expectations, according to a MeriTalk survey.

MeriTalk, a public/private partnership that publishes IT best practices for the federal government, released the results of its FedRAMP survey earlier this week. The survey, conducted online in April 2016, received responses from 150 federal IT leaders responsible for cloud decisions in their organizations. The majority of respondents (79%) said they were frustrated with the system, while 59% said they would consider implementing a cloud service for their agency that was not FedRAMP compliant.

FedRAMP was designed as a blueprint for assessing and confirming security levels among the suppliers of cloud computing to the Department of Defense, intelligence agencies, and federal offices that service civilians.

MeriTalk published a report on the survey, "FedRAMP Fault Lines," on May 23, and made a summary available to the press under the headline: "Four out of Five Federal Cloud Decision Makers Report Deep Frustrations With the FedRAMP Process."

The General Services Administration (GSA) launched FedRAMP in June 2012 in an attempt to standardize the way federal agencies assess the security of a cloud provider they wished to use.

Since June 2012, FedRAMP has been pressed into service by the Department of Defense, NASA, the Office of Management and Budget, and other federal users of cloud services. Use of FedRAMP is mandatory for Federal agency cloud deployments and service models at the low- and moderate-risk impact levels.

Yet, FedRAMP includes its own processes and procedures that are sometimes hard to understand, which are under revision by the Program Management Office in the GSA.

Meanwhile, CenturyLink, Virtustream, Amazon Web Services, and other major cloud suppliers have obtained FedRAMP certifications, indicating their security practices are up to snuff, according to FedRAMP.

At one point, the ability of a relatively unknown cloud services startup to obtain FedRAMP certification was an indicator that it might be acquired. Several certified startups, such as Autonomic Resources, acquired by CSC in February 2015, were bought after attaining certification.

Another example is Virtustream, which was certified in July 2014 and acquired by EMC in May 2015 for $1.2 billion.

Yet, 17% of respondents in the MeriTalk survey reported that FedRAMP does not factor into their cloud decisions.

Some 60% of respondents to the MeriTalk survey work in government agencies that serve civilians, while the remaining 40% work in military or intelligence agencies. Fifty-five percent of respondents working for civilian federal agencies reported that they did not believe FedRAMP had increased the security of their cloud use, while 65% of those working in military/intelligence agencies said the same.

FedRAMP is given credit for reducing the constant duplication of effort that marked previous attempts by federal agencies to establish basic security with cloud providers. Built into the FedRAMP system is a process by which agencies can grant an authority to operate (ATO) to an outside service provider after it has met the requirements of the FedRAMP template for security. An ATO is then supposed to be shared with other agencies, so long as they apply to the issuing agency for permission to use it.

But with new technologies constantly becoming available, along with new service providers, it's hard for FedRAMP's approach to keep up.

The process of certifying new services is slow, according to respondents. Neither is FedRAMP's grant of authority to operate (ATO) working the way it was intended.

[Want to see what MeriTalk found when it surveyed IT managers on federal data center closures? Read Cloud Adoption Could Save Feds $10 Billion Annually.]

The survey found that 41% of respondents have never used another agency's ATO, and that 35% of respondents who had obtained an ATO said their agency has not allowed others to use it. Also, 26% of respondents said their agency had been denied permission when seeking to use another agency's ATO.

No one is sure how much to conclude from such figures, because FedRAMP is plagued with a lack of visibility into its own internal operating procedures. In fact, 41% of respondents to the MeriTalk survey said they are not familiar with the GSA's plans to accelerate FedRAMP.

"FedRAMP remains cracked at the foundation," said Steve O'Keefe, founder MeriTalk, in a prepared statement. "We need a FedRAMP fix."

O'Keefe called for that fix to include improved guidance from the Program Management Office regarding how to use FedRAMP, a simplification of its processes, and increased transparency.

Get Your Dream Job. Use InformationWeek's hosted, searchable job board to land your next gig in tech. Start your search here.

Categories
APPLICATIONS
0 Comment

Leave a Reply

Captcha image


RELATED BY

  • 5300c769af79e

    Google Fiber Aims To Deliver Home Internet Service Wirelessly

    As Alphabet looks to bring internet service to more homes, its Google Fiber unit is experimenting with wireless delivery -- a means that could cost substantially less than laying cable., the first market to receive Google Fiber, the company is testing the concept of delivering wireless Internet to homes, Schmidt told shareholders.
  • 5300c769af79e

    VideoBlocks jumps on the virtual reality bandwagon to offer royalty-free VR stock footage

    Now, VideoBlocks is touting itself as the “first stock media company to add 2D and 3D virtual reality, 360-degree video” to its arsenal of content.The first thing you’ll probably notice is that VideoBlocks uses the terms “360-degree video” and “virtual reality” interchangeably, even though they’re not strictly the same thing.
  • 5300c769af79e

    Google Home Unboxing and Setup!

    After all, with Google Assistant involved, these units should only get better the more we use them.As a recap, Google Home is Google’s answer to the Amazon Echo.
  • 5300c769af79e

    Maturing a Threat Intelligence Program

    Download With the challenges and opportunities of TI in mind, ThreatConnect has developed the Threat Intelligence Maturity Model (TIMM).Whether you are getting started with TI or seeking to expand an existing program, it provides a systematic guide to help you understand where your organization resides on the path to a mature threat intelligence program and how it can better apply threat intelligence to drive smarter security processes, unite all resources behind a common defense, and take decisive action to keep your business on course.