The federal government is doing a good job establishing cybersecurity requirements for cloud providers and industry looking to do the same should look no further, according to John Pescatore, director of emerging security trends at the SANS Institute.

Agencies are under mandate to consider cloud services ahead of other options but not at the expense of security. To ensure agencies are procuring secure services, the General Services Administration set up the Federal Risk and Authorization Management Program (FedRAMP), which has created a set of baseline security requirements that all cloud service providers must meet before hosting federal systems.

"For example, the GSA FedRAMP program for cloud — at Gartner, I found myself pointing private industry customers toward that," he said. "You need good security requirements around procuring cloud? Look what FedRAMP's done. Not some industry-driven consortium."

FedRAMP requirements are based off controls developed by the National Institute for Standards and Technology, though the frameworks developed by the program office offer a streamlined process for assessing a cloud provider's security.

Currently, FedRAMP offers baselines for low and moderate security needs, though the office is in the process of finalizing a high security baseline, scheduled for release before the end of the year.

About Aaron Boyd

Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.

Share:
More In CyberCon