The Federal Risk and Authorization Management Program (FedRAMP) has been in place for just over a decade (2011). Its purpose is to provide a “cost-effective, risk-based approach for the adoption and use of cloud services” by the federal government. This is to equip and enable federal agencies to utilize cloud technologies in a way that minimizes risk exposure through security and protection of federal information and processes. It is to promote the use of secure cloud services through the standardization of security and risk assessments with corresponding controls to mitigate risk. Through FedRAMP, federal agencies gain access to FedRAMP authorized and certified cloud services that are vetted and approved to ensure they conform to controls and compliance requirements to minimize risk exposure.
However, for cloud service providers (CSPs) the FedRAMP process is not easy. It requires a lot of defined structure, controls, and processes for ongoing management of security controls, risk assessments, and response. FedRAMP authorization and certification can be a daunting process. Organizations seeking FedRAMP certification need to ensure they have the right security architecture and processes in place and maintained on a continuous basis with a full audit trail and system of record of FedRAMP requirements, related activities, assessments, and controls.
Managing and maintaining FedRAMP certification in manual processes will lead to . . .
[THE REST OF THIS ARTICLE CAN BE FOUND ON THE IGNYTE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]