New FedRAMP updates: 5 ways federal agencies can evaluate and select the safest cloud providers

The primary purpose of the Federal Risk and Authorization Management Program is to ensure that federal agencies can leverage the benefits of modern cloud technologies while upholding stringent security standards. FedRAMP serves as a benchmark of security assurance in the ever-expanding cloud landscape, offering a framework that helps federal agencies evaluate and select cloud providers with the highest rigor for data protection. However, there has been speculation around whether FedRAMP is fit for purpose in an increasingly complex cyber threat environment. After all, certification lags the standard by a few years, and the standard lags in identifying control mechanisms to thwart emerging cyber threats.

According to a recent public memo from The White House, “Because federal agencies require the ability to use more commercial [Software-as-a-service] products and services to meet their enterprise and public-facing needs, the FedRAMP program must continue to change and evolve.”

This evolution has now begun. Recent updates to FedRAMP have been driven by several key imperatives. First, the program needed to scale to accommodate the growing demand for cloud services across federal agencies. Second, it aimed to mature by refining its focus on the most critical aspects of data security. Third, efforts were made to streamline the software authorization process, making it more efficient and accessible. Finally, reducing costs was a central goal, making cloud adoption more viable for agencies of all sizes. In essence, these updates represent a commitment to ensuring that FedRAMP remains a robust and adaptable tool for safeguarding federal data in the face of evolving security challenges.

The threats facing federal agencies

The timing couldn’t be worse. Just as agencies are being asked to modernize and embrace cloud services, the risk factor of moving workloads into the cloud has increased manyfold. In the wake of geopolitical turmoil and the democratization of advanced AI-based technologies, federal agencies must now navigate a minefield of cybersecurity challenges while orchestrating their migration and selecting cloud partners. Access to new technologies has armed cybercriminals, state actors and malicious entities with unprecedented access to hacking techniques and tools. We now operate in a world where AI/ML algorithms can be used to create malicious code, where social engineering and identity theft are more sophisticated than ever, and where software supply chains are only as strong as their weakest link. What’s more, the alarming emergence of ransomware-as-a-service – malicious software that’s readily available on the darknet – poses a substantial danger. In this environment, federal agencies must prioritize advanced security measures in their cloud services, recognizing the imperative of safeguarding sensitive data and systems from these evolving and multifaceted threats.

5 criteria federal agencies should use when selecting cloud providers

FedRAMP remains a key framework for security assurance and its updates will prove useful, but in the wake of mounting threats, here is a selection of criteria that chief information officers, chief information security officers and chief technology officers in federal agencies should consider when selecting a cloud provider.

1. Embrace a “defense-in-depth” approach

One fundamental principle of cloud security is adopting a “defense-in-depth” strategy. Federal agencies should seek cloud service and SaaS providers that employ multiple layers of control mechanisms to protect their data assets, including perimeter security, application security and data encryption. This approach ensures that even if one layer of security is breached, others remain intact, halting potential threats.

2. Explore beyond FedRAMP standards

While FedRAMP provides a robust framework for cloud security, forward-thinking agencies should explore additional security measures. For example, they should consider if their preferred SaaS solution provider has implemented a zero trust architecture, ensuring that data can only be accessed on a “need-to-know” basis. Solutions that have deployed artificial intelligence-based security methods for threat analysis and detection, and user behavior analysis, will also stand agencies in good stead, particularly when it comes to monitoring software supply chains and the flow of data.

3. Assess qualifying authorizations

Federal agencies should evaluate cloud providers not only based on FedRAMP requirements but also on other qualifying authorizations they may possess. Consider providers with certifications such as System and Organization Controls (SOC) 2, relevant International Organization for Standards (ISO) standards, or special designations such as AWS Government Competencies to meet the stringent security requirements of public agencies. Microsoft also has certifications such as FedRAMP scores and DoD impact level ratings which can help agencies understand the suitability of various services.

4. Examine partner network maturity

A cloud provider’s partner network plays a pivotal role in security. Assess the maturity and reliability of partners like CrowdStrike, AWS and Microsoft. A strong partner network can enhance an agency’s overall security posture.

5. Verify proactive security measures

Staying ahead of evolving threats is crucial. Confirm that the chosen cloud provider has a proven track record of proactive security measures and innovations. Leading providers continuously evolve their offerings to protect data hosted in their environment, often including real-time analytics and threat monitoring.

As federal agencies ride the wave of digital transformation and embrace cloud services, the landscape of cybersecurity continues to present complex challenges. The recent updates to FedRAMP signify a commitment to adaptability in the face of these evolving threats, but to safeguard their data, federal CIOs, CISOs and CTOs should look beyond government frameworks to ensure their cloud adoption strategies can move forward with confidence. Making informed choices about cloud providers is not just a matter of compliance but a critical step in securing the future of federal agencies and the fulfillment of their charter.

Manish Sharma is the senior vice president of engineering and security at Aurigo Software.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.