Adapting FedRAMP to Secure Sensitive InfoHow to Compensate for Lack of High-Impact Security Controls
FedRAMP, the federal government's program to vet the security of cloud providers, doesn't offer the controls necessary to assure the security of sensitive but unclassified data. But a former federal agency CISO is championing a workaround to allow such highly sensitive data to be moved to the cloud.
"The government hasn't published its FedRAMP controls for high sensitivity data and that's kind of a rub with moving into the cloud for a lot of agencies," Patrick Howard, former CISO at the U.S. Nuclear Regulatory Commission and Department of Urban Affairs, says in an interview with Information Security Media Group.
Howard says his former colleagues at government agencies tell him that they're reluctant to move highly sensitive data to the cloud until the Federal Risk and Authorization Management Program adopts additional security controls.
FedRAMP employs the National Institute of Standards and Technology guidance known as FIPS 199 to identify three levels of potential impact of data loss to organizations and individuals: low, moderate and high. But FedRAMP provides security controls for only low and moderate levels of impact.
However, Howard, now program manager for the continuous diagnostic and mitigation program at SecureInfo Kratos, and his colleague, Michael Rohde, are promoting a workaround, in which agencies adopt more stringent security controls developed by the Defense Information Systems Agency to secure sensitive data.
Federal agencies must use FedRAMP to vet cloud providers but can adapt the process by incorporating additional controls such as those developed by DISA in granting a cloud service provider an "authority to operate," also known as an ATO.
"It won't be a FedRAMP ATO but it will be an agency ATO at that higher-impact level," says Rohde, a senior director who oversees government and commercial programs at SecureInfo Kratos, a third-party assessment organization that evaluates the security of services offered by cloud providers. "And, that's essentially the federal government saying to a cloud-service provider, 'We authorize the use of your system for government data.'"
In the interview, Howard and Rohde:
- Discuss ways federal agencies can hasten the approval of cloud security providers to store sensitive data and systems;
- Explain how implementing continuous monitoring in the cloud can prove to be more efficient than agencies conducting the monitoring on their own systems; and
- Predict when the federal government will identify security controls in FedRAMP to allow highly sensitive data to be stored on the cloud.
Howard served as CISO at HUD from 2005 to 2008 and the NRC from 2008 to 2012. Previously, he served as a senior information security specialists at Titan Corp., managing the Department of Transportation's security certification and accreditation program. He's the author of the book, "Building and Implementing a Security Certification and Accreditation Program."
Before joining SecureInfo Kratos in 2006, Rohde worked as an associate at Booz Allen Hamilton and senior consultant at PricewaterhouseCooper. Rohde has a master degree in accounting information systems from James Madison University.