NOTE: This article first appeared on LinkedIn.
Living in the Washington, DC area, we are bombarded with advertisements touting services for the government. These ads include everything from logistic services to basic office services provided by companies that support the physically challenged to technology services. Ads that resonate with me are the ones for “cloud” services that tout being FedRAMP certified.
When I hear those ads FedRAMP is usually preceded by the adjectives strict or tough. These are the same companies that when they are not on the radio call FedRAMP onerous and unnecessary. Up until recently, I was not a fan of FedRAMP and cloud computing. Then I had to dive into FedRAMP and found a lot to like and even love as a government security professional.
In basic terms FedRAMP, or the Federal Risk and Authorization Management Program, is a translation of the federal governments security requirements under the Federal Information Security Management Act of 2002 (FISMA; 44 U.S.C. §3541, et seq.) and translates them into something that can be used to certify the service for use by the federal government. For those of us who are used to basing agency security controls and policies based on National Institute of Technology and Standards (NIST) Special Publication (SP) 800-53 will recognize the security package required by FedRAMP.
After a considerable review of the FedRAMP documents and requirements, it was surprising how the authors of FedRAMP broke down the policies and translated them into something that can be used as a model for anyone. Even the System Security Plan (SSP) follows NIST SP 800-53 and provides guidance to these service providers so that they can be as a complaint with FISMA as their government clients.
If there is an agency that continues to have problems with FISMA compliance and needs to jumpstart their security program with a solid policy base, they can look to FedRAMP to provide the basic security package. For government entities that are not required to be FISMA compliant but needs better security policies, like the U.S. Courts, they could do worse than using FedRAMP as their foundation.
While FedRAMP and FISMA are not perfect they can be used as a tool to help mitigate more risks than most other frameworks widely in use in the United States (ISO 27001 being an exception). It sets the bar higher than anything that the Payment Card Industry (PCI) requires and why federal systems (not run by contractors) have fewer security incidents and why those systems cause less damage to the security and privacy of the public.
With the continual damage to the integrity of the payment card industry by the hacking of commercial enterprises, maybe the PCI Data Security Standard (DSS) needs to be replaced with FedRAMP. The problems over the last few years have proven that PCI DSS does not provide a sufficient framework and even in its third revision is insufficient to protect financial data. After all, isn’t the definition of insanity doing the same thing over again expecting a different outcome? It is time for PCI to stop the insanity!
UPDATE: Recently, I had the displeasure of trying to map FISMA requirements, the basis for FedRAMP, to those of PCI-DSS. Based on this exercise, it is not surprising that companies that are allegedly PCI-DSS compliant are successfully attacked. PCI-DSS can be best described as “security theater” where one can wave their hands and say, “we’re secure.” If the federal agencies I have worked for were only PCI-DSS compliant then the agencies would be far worse than they are today.
Rather than worrying about how bad PCI-DSS is, I am using the products produced by the U.S. Mint and the Bureau of Engraving and Printing.