Welcome!

Government Cloud Authors: Yeshim Deniz, Elizabeth White, Liz McMillan, Gopala Krishna Behara, Raju Myadam

Related Topics: @CloudExpo, Cloud Security, Government Cloud

@CloudExpo: Blog Post

How FedRAMP Compliance Can Give You a Competitive Edge | @CloudExpo [#Cloud]

With cloud adoption comes the challenge of ensuring a secure and trustworthy environment. That’s where FedRAMP comes in.

When describing cloud computing, terms like highly scalable, efficient, and on-demand probably come to mind. Unfortunately, those same descriptors aren't commonly associated with operations in the federal government.

In 2011, the White House's Office of Management and Budget set out to change that with the Cloud First policy. Through cloud computing, the OMB aimed to help federal agencies consolidate and provide new services cheaper and faster.

But with cloud adoption comes the heightened challenge of ensuring a secure and trustworthy environment. That's where FedRAMP comes in.

FedRAMP defines the requirements for cloud service providers' security controls, including vulnerability scanning, incident monitoring, logging, and reporting. CSPs in use at federal agencies or in acquisition must meet the cloud computing requirements defined by FedRAMP.

Whether or not your company currently works with government agencies, there are several benefits to preparing for FedRAMP:

  • Sales potential: FedRAMP compliance allows you to compete for government business, but it will also give you a competitive advantage over CSPs that haven't gone through such a lengthy assessment. Even if you don't end up doing business with a government agency, customers will be more confident going with a CSP that's prepared for FedRAMP. This is especially true if your customer is also a CSP interested in bidding in a government RFP for cloud services.
  • Risk management: Preparing for FedRAMP will expose vulnerabilities in your system and help you better understand them. Risk management can also draw a line in the sand to define where your risk ownership starts and stops. It's important to communicate this to your customers to eliminate confusion.
  • Unified compliance: FedRAMP requirements can map back to many industry standards, including ISO 27001, PCI, HIPAA/HITECH, COBIT, and GLBA. Done correctly, preparing for FedRAMP can help CSPs establish a unified compliance approach to the litany of compliance requirements their customers have. Unified compliance limits the duplication of assurance efforts across regulations and between a CSP and its clients.

If you have no plans to pursue government contracts, don't blindly spend money on certification just to check a compliance box. FedRAMP aims to centralize compliance checking in a "do once, use many" process, but the costs can be quite high. In any case, simply evaluating your organization against FedRAMP's standards will provide an invaluable risk assessment.

However, CSPs that could potentially be a part of the government ecosystem - either directly or indirectly through their customers - should prepare themselves for FedRAMP. They need to weigh the costs and benefits of determining where their organizations align with the federal government's Cloud First policy.

Delegate the Details
FedRAMP compliance is a highly detailed process, and the planning itself is exhaustive. You'll need to seek outside help to create your system security plan and work with a third-party assessment organization.

Before you bring in outsiders, however, there are a few preparations you need to make internally. The FedRAMP PMO has created extensive checklists to help you do as much as possible on your own.

Once you've gone through the checklists, find a partner to help you do the following:

  1. Categorize your system. Based on the FIPS 199 template, categorize your system to determine whether your risk impact is low, moderate, or high.
  2. Select and/or implement security controls. Using NIST 800-53, select the baseline controls that apply to your organization. Implement those or create a plan for implementation.
  3. Create a system security plan. This plan documents all the details regarding the first two steps and defines the boundaries of your system. This template is one of the first things reviewed during a FedRAMP assessment.

Getting your FedRAMP certification is a lengthy process, and it's not the right option for every company. By taking the necessary steps and preparing yourself in advance, you'll be one step closer to enjoying the competitive advantage it affords.

More Stories By Brad Thies

Brad Thies is principal at Barr Assurance & Advisory Inc., a risk consulting and compliance firm that provides business performance, information technology, and assurance services to clients across a variety of industries. He specializes in helping clients assess, design, and implement processes and controls to meet customer, regulatory, and compliance requirements. Brad is a certified public accountant and a certified information system auditor with more than 10 years of experience in the industry.

@ThingsExpo Stories
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
IoT is at the core or many Digital Transformation initiatives with the goal of re-inventing a company's business model. We all agree that collecting relevant IoT data will result in massive amounts of data needing to be stored. However, with the rapid development of IoT devices and ongoing business model transformation, we are not able to predict the volume and growth of IoT data. And with the lack of IoT history, traditional methods of IT and infrastructure planning based on the past do not app...
DXWorldEXPO LLC announced today that the upcoming DXWorldEXPO | CloudEXPO New York event will feature 10 companies from Poland to participate at the "Poland Digital Transformation Pavilion" on November 12-13, 2018.
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world.
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smart...
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
Michael Maximilien, better known as max or Dr. Max, is a computer scientist with IBM. At IBM Research Triangle Park, he was a principal engineer for the worldwide industry point-of-sale standard: JavaPOS. At IBM Research, some highlights include pioneering research on semantic Web services, mashups, and cloud computing, and platform-as-a-service. He joined the IBM Cloud Labs in 2014 and works closely with Pivotal Inc., to help make the Cloud Found the best PaaS.
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost and risk of entering new markets has leveled the playing field for business. Today, any ambitious innovator can easily introduce a new application or product that can reinvent business models and transform the client experience. In their Day 2 Keynote at 19th Cloud Expo, Mercer Rowe, IBM Vice President of Strategic Alliances, and Raejeanne Skillern, Intel Vice President of Data Center Group and ...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
From 2013, NTT Communications has been providing cPaaS service, SkyWay. Its customer’s expectations for leveraging WebRTC technology are not only typical real-time communication use cases such as Web conference, remote education, but also IoT use cases such as remote camera monitoring, smart-glass, and robotic. Because of this, NTT Communications has numerous IoT business use-cases that its customers are developing on top of PaaS. WebRTC will lead IoT businesses to be more innovative and address...
Rodrigo Coutinho is part of OutSystems' founders' team and currently the Head of Product Design. He provides a cross-functional role where he supports Product Management in defining the positioning and direction of the Agile Platform, while at the same time promoting model-based development and new techniques to deliver applications in the cloud.
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
In his session at Cloud Expo, Alan Winters, U.S. Head of Business Development at MobiDev, presented a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to maximize project result...
Personalization has long been the holy grail of marketing. Simply stated, communicate the most relevant offer to the right person and you will increase sales. To achieve this, you must understand the individual. Consequently, digital marketers developed many ways to gather and leverage customer information to deliver targeted experiences. In his session at @ThingsExpo, Lou Casal, Founder and Principal Consultant at Practicala, discussed how the Internet of Things (IoT) has accelerated our abilit...