Okay, I know I’ve written about the accreditation process for cloud computing solutions quite frequently in the last few weeks. It’s just been a hot topic in light of the recent NIST event and all of the talk around streamlining cloud accreditation via FedRAMP. But this is the last time I’m going to write about it for a while….I swear.
According to an article on Federal News Radio’s Web site, the General Services Administration (GSA) and Federal CIO Council are looking for feedback from agencies, vendors and the public about process templates, guides, common security requirements and other program-related aspects of FedRAMP.
Although FedRAMP remains an amazing concept on paper, it’s still failing to meet its potential in reality. In addition to taking a very long time to materialize, it still isn’t completely inclusive of all government agencies.
FedRAMP establishes a baseline for security requirements, but still enables agencies the freedom to do additional testing for what they call “delta requirements.” In the case of defense and intelligence agencies where data is extremely sensitive, these “delta requirements” could essentially cause cloud solutions that have received accreditation through FedRAMP to undergo a whole additional set of tests and accreditation processes.
Also, steps toward continuous monitoring are welcome, but it’s unclear how the common operating picture for cloud gets rationalized with the common operating picture for cyber security. They can’t be brought together without a toolset or framework for governance, risk and compliance.
If you have additional comments on FedRAMP, they can be submitted using the FedRAMP online comment form until 11:59PM ET on Thursday, December 2, 2010. Comments will be reviewed by a joint team of representatives from across government for inclusion and updates in the final documents.
Now’s your chance to rise up and be heard. If we all chime in and help to shape FedRAMP, we can work towards making it the inclusive and effective accreditation process that we all hoped it would be when it was proposed.
Filed under: Uncategorized | Tagged: accreditation, cloud computing, cyber security, cybersecurity, department of defense, DoD, Federal CIO Council, FEDRAMP, General Services Administration, GSA, intelligence community, National Institute of Standards and Technology, NIST | 1 Comment »