The Federal Risk and Authorization and Management Program, known as FedRAMP, is designed to create security standards for the federal government’s use of the cloud; the feds would like to deploy it by the summer.
David LeDuc, director of public policy at the Software and Information Industry Association, told Nextgov, the government’s goal is “aggressive,” but “achievable,” as long as “they take it in the right direction.”
So what is the right direction? Software designers say the first step is leaving the “one-size-fits-all approach” behind.
In public comments earlier this month, SIIA said the proposed requirements “are, in many cases, overly prescriptive and not sufficiently vendor neutral, nor do they effectively differentiate between the three basic cloud functions.”
Now, according to Nextgov, the General Services Administration is taking a long, hard look the requirements.
“We are working collaboratively with government and industry experts to explore the potential merits of moving toward a performance-based security assessment process, especially for technical security controls,” said GSA spokeswoman Sara Merriam. “The FedRAMP requirements must facilitate the trust required between agencies and industry to work toward proactive cloud computing adoption in support of the administration’s cloud-first policy.”