Matt Goodrich, FedRAMP program manager, says latest revisions are the most extensive since the program's inception. (Colin Kelly / Federal Times)
The passing of the June 5 Federal Risk and Authorization Management Program deadline is only the beginning of the work of making federal cloud implementations secure.
The FedRAMP program itself is evolving, said Matthew Goodrich, manager of the program at the General Services Administration. On June 6, the agency released the largest update since the program launched in order to reflect updated National Institute of Standards and Technology requirements, he said. That includes changes to 13 of the FedRAMP templates as well as two additional guidance documents, many of which incorporate lessons learned over the past two years.
The updated documents are available at GSA’s FedRAMP website.
Meanwhile, an industry expert cautioned agencies against letting FedRAMP compliance lead to complacency. Complying with FedRAMP means selecting a FedRAMP-compliant service provider, signifying that the provider’s systems have been vetted and confirmed to meet the required security standards. However, FedRAMP is just the start, not the endpoint, said Brian Burns, Director of Cloud Services at Agile-Defense, Inc.
“While the agency can feel confident that they have a secure infrastructure to build their applications upon, to truly secure the environment, agencies (or their systems integrator) need to harden the operating systems—remove unnecessary processes, lock down ports, really remove access that does not need to be there, etc.,” he said.
Each agency should also take steps to secure applications and data to prevent hacking and data theft, he said. “If these steps are not properly planned or implemented, the agency may very well be on a FedRAMP-compliant cloud but still have security holes in their solution,” he said. “All of these steps are absolutely necessary and normally are not part of a [cloud service provider’s] responsibility. “