The overlay will serve as the “first step" in allowing agencies greater flexibility as they move to securely adopt cloud services.
The Federal Risk and Authorization Management Program, the body that creates standardized cloud computing security requirements, continues to evolve to take on new challenges.
The latest effort came in the release of a draft overlay from the FedRAMP program office and Department of Homeland Security-led Trusted Internet Connections initiative, which standardizes the security of individual external network connections used by federal agencies.
The overlay will serve as the “first step in updating TIC’s current reference architecture to allow agencies greater flexibility as they move to securely adopt cloud services,” according to documents.
FedRAMP and TIC seek public comment from cloud service providers, federal agencies and other stakeholders by May 2.
Once the overlay is finalized, it will allow agencies to ensure cloud services they use both meet FedRAMP requirements and have all capabilities needed for agencies to meet the TIC initiative, the document states.
The overlay is expected to reduce duplicative assessment processes carried out through both initiatives.
Perhaps more important, the overlay aims to ultimately alleviate another issue prevalent in today’s federal technology landscape. Federal employees (end users) predominantly access their agency’s cloud services through TICs, but previously those standards haven’t meshed, and that issue has been made more challenging with the rapid proliferation of mobile devices in recent years.
Now, DHS and FedRAMP officials believe the overlay will allow cloud service providers to “demonstrate their ability to provide TIC required controls, which enables agencies to enforce the TIC capabilities” through the FedRAMP framework.
"To do this, the TIC capabilities have been mapped to the FedRAMP security controls," through a draft overlay, the documents state. Cloud service providers "will be able to use this overlay during a FedRAMP security assessment to prove they can provide agencies with the ability to enforce TIC capabilities for mobile users."
This is just the latest effort taken on by the FedRAMP crew. The program office released draft standards to protect the government’s most sensitive unclassified data in January, revamped its website -- run in the cloud, by the way -- and continues churning out labor-intensive authorizations for cloud service providers.
(Image via Dooder/ Shutterstock.com)