Comments
Cloud Providers Align With FedRAMP Security Standards
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Author
1/27/2014 | 4:15:02 PM
ABC7 News Program Takes Notice of FedRAMP story
Those who follow FedRAMP may be interested to note, Washington's ABC7 TV news program, Government Matters, featured a segment, based on this report, on this past Sunday's program.  Here's a link to the program: http://www.wjla.com/articles/2014/01/government-matters---jan-26-2014-99605.html

 
WKash
50%
50%
WKash,
User Rank: Author
1/23/2014 | 9:02:45 PM
Re: Standards are great but don't forget about evolving risk
Affine, you make a fair point about the limits of using standards in an evolving cyber world. But FedRAMP isn't just about meeting a securitiy checklist, its also about assessing the risk posture of a system and being prepared for the risks. That's why they call it the Federal Risk and Authorization Management Program, not just the Federal Security and Authorization Management Program.
Affine
50%
50%
Affine,
User Rank: Apprentice
1/22/2014 | 12:26:30 PM
Standards are great but don't forget about evolving risk
The more we can get to a standards based security program, the easier for organizations to improve their security posture.  The risk that most organizations need to avoid is assuming that meeting the standards means they don't need to do anything thing else for security and IT risk.  This is an evolving landscape and NIST, PCI nor any other standard will ever keep up with the attackers will and desire to find new avenues for getting to the data and information that they want.  A strong security program that leverages a standard as a baseline but includes a strong risk analysis program that monitors and responds to the threat landscape is critical in the current environment we do are doing business in.
JaCa
50%
50%
JaCa,
User Rank: Apprentice
1/22/2014 | 7:20:17 AM
Managing Cloud Risks With Service Organization Controls
Great to see FEDRAMP accelerating cloud adoption rates however with the current state of cloud security in general this will at times fall short in ensuring an absolutely secure computing environment, bespoke security for cloud based apps is still the way forward along with using compliance standards such as SOC to manage security. I work for McGladrey and there's a whitepaper on the website that aligns well with this article that was created on this subject, readers will be interested in it. @ "Managing cloud risks with service organization controls"   http://bit.ly/1a2LQnE
RB22
50%
50%
RB22,
User Rank: Apprentice
1/21/2014 | 2:55:09 PM
No doubt that "foundational security controls" built on a common standard are catching fire.
As a member of a leading 3PAO, I am excited to see this transformation as it occurs. What is equally impressive, is that organizations are not opting for a "lesser" standard, but instead, are adopting a standard that is challenging from the planning phase through continuous operation.
WKash
50%
50%
WKash,
User Rank: Author
1/21/2014 | 1:50:26 PM
Re: See Teresa Takai's take on JAB vs Agency ATO
Thanks for raising issue regarding JAB vs agency authorization and its scope.  When the JAB gives a cloud service "Provisional Authority to Operate" it has satisfied the CIO offices at DOD, DHS and GSA, as opposed to a single agency. some would say that carries more weight. But the the FedRAMP authoriztion by an agency, as HHS did with Amazone Web Services, satisfies the same requirements.


Of equal importance, and thanks for raising this also, FedRAMP authoritiy lapplies to a specific service.  AWS, for instance has more than three dozen cloud services across multiple regions. What HHS appoved was two infrastructure services that specifically meet HHS' requirements.  Other agencies can now build on those services, but that does not mean other AWS services share the FedRAMP seal of approval.

 
JFKHILTON
50%
50%
JFKHILTON,
User Rank: Apprentice
1/21/2014 | 10:33:50 AM
See Teresa Takai's take on JAB vs Agency ATO
The JAB vs Agency ATO difference isn't a debate. See quote from DoD CIO Takai to may help the deflections that occur about difference. Its not theoretical as some say, it is however rigourous.

 

"Cloud service providers can still receive direct operating authority from an individual federal agency, as Amazon Web Services did last May from the Department of Health and Human Services. But approval by FedRAMP's Joint Authorization Board, on which Takai sits, offers an added badge of authority that a cloud service conforms to a baseline of security standards that, subject to provisional review, will satisfy the demands of most federal agencies."

 

Beware / watch presentations made by CSP's, if one particular offering is FedRAMP accredited it does not "peanut butter" across all the CSP's offerings. Sat in many of presentations that one would assume the all the product offerings a CSP has; are accredited because one of the services has had an Agency ATO.


IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.