by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : July 15, 2015
system against the FedRAMP security baseline. These costs can easily reach $200,000 or more in audit fees alone. Another major obstacle is having enough people on staff with the right skills, resources and time to understand what is required and actually meet those requirements. Finding qualified information security staff is difficult enough—adding FedRAMP expertise to the equation makes it a constant struggle for many agencies. To overcome this issue, many agencies rely on outside resources to assist with security related documentation preparation and packaging along with the project management aspect of these complex efforts. Agencies also must have the right processes and procedures in place to comply with FedRAMP, and that can require a lot of updating of existing processes and procedures, as well as retraining staff. Finally, agencies must have the right tools to not only achieve compliance, but also maintain it—including tools for scanning, penetration testing, continuous monitoring, and more. Overcoming the obstacles Starting with a fully certified vendor eliminates or drastically reduces many of these pain points. A FedRAMP-certified vendor will have an Authorization to Operate (ATO), which is required for every federal environment. This includes accreditation package preparation, ATO audit support, remediation for ATO if required, and ongoing compliance governance. It will also have the required structure and processes for physical security, information security, security monitoring, network security, patching, vulnerability management, and continuous monitoring. “All of the things agencies have to do for their cloud applications to become FedRAMP compliant can be overwhelming,” said Tim Burke, Compliant Cloud Services Product Manager at Carpathia. “Using an authorized cloud service provider doesn’t eliminate all of the challenges, but it does significantly reduce the burden on the agency, and drastically speeds time to market.” Because FedRAMP-certified vendors must meet all security requirements, agencies can be assured that even the most difficult requirements will be addressed. For example, ensuring and maintaining encrypted sessions can be a tall order. Vendors are required to provide administrative access for its own or agency operators in a manner that satisfies multifactor authentication and FIPS 140-2 encryption requirements, which adds both cost and complexity to an agency’s in-house solution. Relying on a certified vendor also can reduce the cost of compliance for a significant part of the technology stack. Physical and other controls that the cloud vendor is responsible for are sure to be compliant, greatly reducing the EXECUTIVE INSIGHTS: THE COMPLIANCE PUZZLE SPONSORED CONTENT In addition to readying cloud systems for FedRAMP certification and ensuring that compliance is continuously achieved, agencies must comply with dozens of specific policies and procedures around everything from data information and classification to social media policies and procedures. For many of these, FedRAMP has downloadable templates, which gives agencies a place to start with compliance for each policy and procedure. For others—Business Impact Analysis, Configuration Management Plan, Incident Response Plan, Interconnection Security Agreement, and Penetration Test Plan—there are no templates available. While templates provide a starting place, the internal, technological and training challenges associated with each required policy and procedure is time- consuming, and it assumes that agencies have the knowledge and time to comply. Some agencies may be better positioned to tackle some of these requirements, but no agency has the internal expertise to handle them all. For policies and procedures that are difficult to manage, consider turning to a third party, which can: review existing policies, identify gaps, and ensure that procedures and documentation aligns with both organizational and regulatory goals. Often, agencies turn to a third party organization to provide this help. By using one of these companies, agencies can realize the same type of benefits they get when using FedRAMP-certified hosting services and technology vendors—expertise, cost efficiency and improved time to market. The Policies and Procedures Hurdle of FedRAMP
June 30, 2015
July 30, 2015