February 9, 2017

Why States Adopt FedRAMP to Meet Government Cloud Security Norms

Government Cloud Security Diagram

Let’s begin with the obvious, state and federal governments don’t always see eye to eye. It’s been that way since the founding of our country and continues to this day. It affects the general public from topics as varied as seat belts, motorcycle helmet laws and the legalization of marijuana. However, what the general public doesn’t typically see is the constant push and pull involving standards and regulations, a frequent occurrence in the tech industry.

When a state can do it their way, they most often take that course. However, when it comes to the security of cloud products and services, 50 different approaches aren’t going to do the job effectively.

The Federal Risk and Authorization Management Program (FedRAMP) is a civilian-side, federal government-wide program that standardizes the approach to assessing, authorizing and continuously monitoring cloud products and services. According to a government IT contractor’s trade association, states should get on board. Here are the top 6 reasons all states should adopt FedRAMP Standards.

1. FedRAMP Sets the Bar for Government Cloud Security

For federal agency cloud deployments and service models at low and moderate risk impact levels, FedRAMP is mandatory. The only exception is for private cloud deployments intended for single organizations that are implemented fully within federal facilities. States are smart to adopt FedRAMP standards because FedRAMP has been vetted and implemented in the systems and controls that protect data in the cloud.

For instance, FedRAMP sets the risk rating and provides guidelines to make sure your organization can identify the security controls needed for your system to host cloud data securely. FedRAMP partners, such as NIST has already done the work, saving states the time and costs of building an entirely new wheel.

2. Dependable Security Standards

FedRAMP requirements are based on the National Institute of Standards and Technology (NIST) SP 800-53 Revision 4 catalog of controls. These security controls apply to the cloud systems provided by Edge Hosting – those designated as moderate impact information systems. Some of the controls of FedRAMP are even more rigorous than standard NIST guidelines, giving adopters of FedRAMP requirements a reasonable assurance of security implementation.

In addition to strong security controls, FedRAMP dictates rigorous testing for cloud service provider compliance through a Continuous Monitoring (ConMon) program. This ConMon program includes a training program, security awareness, vulnerability assessment and incident response procedure documentation. FedRAMP strongly underscores the continuous need for monitoring and validation testing, to help ensure the safety of cloud-stored data.

3. The Importance of Standardization

It has been mentioned earlier, but standardizing something as big and complex as the approach to cloud computing has enormous benefits just by decreasing the number of spin-offs and variations. One can argue that since competition is good for business, it may make sense to have more competition or options for security standards.

However, with little or no standardization of basic security principles, controls and guidelines, it is difficult to establish a benchmark or best practices. FedRAMP provides this benchmark. Additionally, no standardization fosters the dominance of closed operating systems. Think of it in terms of Google – an openly shared system that plays nicely with other programs and applications. With states implementing FedRAMP, the state’s system now allows for cross-application and cross-platform communication and collaboration.  

4. FedRAMP Will Help Drive Down Cost and Risk

The old way of dealing with the certification and accreditation process was extensive and cumbersome. Adding insult to injury, switching systems or platforms often meant repeating the process over and over again. According to a September 2014 United States Government Accountability Office (GAO) report, the amount that agencies added to cloud computing services grew to $529 million. For a state adopting FedRAMP standards, they can save significant cost, time and resources, as with FedRAMP, you only have to be certified once and maintain the certification through the prescribed Continuous Monitoring (ConMon) process.

At Edge Hosting, we streamline the process even further. We complete as much ahead of time as we can for you. We simplify the transfer of your external system to Edge cloud hosting, going through and filling out the FedRAMP checklist while marking the specific areas that need your direct attention. We reduce the risk of clerical or transfer errors and put you in accordance with the FedRAMP standards of joint security assessments and authorizations, consistent evaluations of security controls, and continuous monitoring. We help mitigate the risks associated with cloud computing while giving your company peace of mind with the knowledge that your data is well protected.

5. FedRAMP Helps Eliminate Redundancy

When multiple agencies try to certify products and services for security compliance across varied and disparate processes, redundancy is inevitable. While each will have their unique tweaks, much will be the same, as they are working towards the same goal. This redundancy wastes time, resources and money.

Using FedRAMP as the standard, redundancies are eliminated as everyone is following the same framework. This doesn’t mean that FedRAMP isn’t flexible. A cloud service provider must be allowed to be innovative so as to bring cost-effective solutions to the table. FedRAMP is flexible in that it allows for innovation and adjustments to meet specific criteria or needs while keeping the security controls intact.

6. FedRAMP Is a Strong Selling Point to Customers

FedRAMP is a stringent set of cloud security controls, tested by the largest organization on the planet and available for free. For states that adopt FedRAMP standards, it shows your commitment to security and best practices for data in the cloud and alignment with federal standards.

For customers, this can be boiled down to trust. With the number of cyber security attacks in the world today and the explosion of big data, customers need to have reasonable assurances that their data is safe. FedRAMP sets appropriate expectations for cloud service providers. It provides a reason to believe, and a benchmark to judge security controls and standards.

Partnering with Edge Hosting

If you’re looking for more insights on FedRAMP compliance then you’ll want to download our eBook “The Ultimate Guide to FedRAMP Compliance.” Get started with a well-defined roadmap and a trusted partner to achieve government cloud security compliance.

Go back