The federal government program that certifies cloud technologies for use in federal government is reaching out to agencies to gather threat intelligence reports to refine its certification process.
Speaking Sept. 4 at the Billington CyberSecurity conference in Washington, D.C., Ashley Mahan, acting director of the General Services Administration’s Federal Risk and Authorization Management Program, said that FedRAMP is expanding toward a “threat-based approach to authorization and risk-monitoring.”
“Right now, we’re working with various government agencies in obtaining that threat intelligence information, what kinds of threats are posed to our IT, and we’re literally mapping that to the suite of controls and security requirements that our cloud service providers meet,” Mahan said.
By incorporating these threats into the FedRAMP authorization process, Mahan said the program is going to “empower agencies to have a risk-based approach to this authorization.”
Adjusting the security requirements to protect against threats agencies actually face will help agencies be more prepared for threats on the first day of cloud deployment, she said.
“It gives the agency the ability to start using the product faster ... and not only that, we’re going to take that information and also apply it to continuous monitoring,” Mahan said.
Mahan said that cloud services providers currently go through annual audits of security requirements, but with the integration of threat assessments, the audit process will be “smarter.”
“The threat information will also dictate what are the things that we need to audit,” Mahan said.