FedRAMP How the Feds Plan to Manage Cloud Security Risks

Steven Fox

Wed, 12th December 2012


Speaker Bio 1:
Steven F. Fox
Steven F. Fox, CISSP is a Security Architecture and Engineering Advisor at the U.S. Department of the Treasury. In this role, Steven advises multiple groups within the Treasury, offering security guidance on system architecture and engineering to ensure compliance with Federal standards and requirements. He also contributes to multiple working groups including the IPv6 transition team, Developer Security Testing workgroup, and the Security and Privacy workgroup.

Steven brings a cross-disciplinary perspective to the practice of information security; combining his experience as a security consultant, a Senior IT Auditor and a systems engineer with principles from behavioral and organizational psychology to address security challenges. He has performed security services including risk, vulnerability, penetration testing assessments, incident response planning, PCI DSS services, and social engineering.

Steven's presentation will address how the Federal government plans to manage cloud security risks. FedRAMP is the Federal Risk and Authorization Management Program. This program is an innovative policy approach aimed at developing trusted relationships between Federal agencies and cloud service providers. The primary goal of this program is to reduce duplicative efforts, inconsistencies and cost inefficiencies associated with the current security authorization process. FedRAMP establishes a public-private partnership to promote innovation and the advancement of more secure information technologies.

By using an agile and flexible framework, FedRAMP is enabling the Federal Government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale. The program is designed to comply with the Federal Information Security Management Act of 2002 (FISMA).

FedRAMP is the result of a close collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups, as well as private industry.

Questions and answers

Max, Concise Courses:
Are you aware of any Federal agencies using non-US Cloud Service Providers?

Steven F. Fox:
Currently no. The Federal government is very concerned about keeping that dataflow within US confines. That’s not to say that they may not explore that [outsourcing or using non-US Cloud Solutions] down the road as the cloud control environment changes but as of right now it is US centered.


Max, Concise Courses:
If the private sector is already providing a level of security superior to that of the Federal government is it [FEDRamp] really necessary? Do you disagree with that statement?

Steven F. Fox:
Well, the private sector has different priorities and different standards than the Federal government. The Federal government has something that the private sector does not have: it has a single standard for the most part [and a] collection of controls by which they judge low or moderate projects. I really can’t say that that exists within the private sector.


Max, Concise Courses:
Do you have a handle on state and local adoption of cloud service providers?

Steven F. Fox:
That’s an interesting question. Definitely get hold of me through email. I don’t have that answer right now but I’ll definitely get back to you on that. FEDRamp right now is scoped for Federal projects. I imagine that state projects are waiting to see how successful FEDRamp is.