Maria Roat, the director of the Federal Risk and Authorization Management Program, already has “eight or nine initiatives” lined up over the next two years that are designed to help the cloud-standardization program reach maturity.
Roat, speaking at a federal cloud computing summit Wednesday, highlighted several changes to the program, better known as FedRAMP, that are already underway.
Recently, FedRAMP released an updated security control baseline to meet the National Institute of Standards and Technology’s 800-53 benchmark, known as “revision 4.” Roat called meeting those changes a “really big lift for my team.”
Raising the baseline was on Roat’s radar a year ago, but she said she “couldn’t get answers to what was a high baseline in the cloud.”
“When you start looking at the maturity of agencies across the federal government and that maturity across the board to the acceptance of cloud a year ago, [agencies] weren’t ready for the high baseline yet. I think now the timing is right to dig into that high baseline,” she said. “Now that the acceptance of the cloud has been happening [and] more and more agencies are embracing the cloud as a solution, I think the timing is right to really get that high baseline out there.”
Roat also talked about moving beyond the once-a-year audit of systems toward a continuous monitoring model, saying the General Services Administration, which oversees FedRAMP, is trying to find an inflection point to move the process forward.
“I’ve put that out to my team and I said, ‘Is there some kind of maturity model with the cloud providers through FedRAMP that we can say if this cloud provider is at a certain maturity level, maybe you don’t have to do that annual testing every year?'” Roat said.
Not all of the monitoring will fall on agencies, Roat said. Cloud providers will still be required to go through a certain amount of testing.
“When you look at the cloud providers, when you are looking at the trends…a lot of their processes will come out on the other end,” she said. “If they’re not doing a good job on incident response, if they are not doing a good job on [content management] with their patching, that’s going to come out during the monthly scans.”
Roat also took time to address some confusion about what agencies are responsible for when it comes to possibly implementing a hybrid cloud, which some at the conference considered “painful and complicated.”
“When you look at hybrid controls, you look at responsibilities across FISMA, agencies will have responsibilities sometimes around their implementation,” Roat said. “It’s very clear that when you look at our documentation and what the [cloud service provider] does, you know very clearly what the agencies are responsible for. I don’t know if I would couch that as painful or complicated, it’s just a matter of understanding.”