by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : March 15, 2016
In the timeless words of Yogi Berra, “When you come to a fork in the road, take it.” Federal IT managers know all too well of the challenge of going down two paths. Two of the biggest have been the mandates to migrate to the cloud and to better secure govern- ment IT systems through continuous monitoring. On the one hand, federal agencies have been directed to use a “cloud first” strategy, but they’ve been hesi- tant because of concerns about the security of their data in the cloud. On the other hand, the successful pen- etrations of agency networks and systems at the Office of Personnel Management, State Department and elsewhere have given agencies pause about the security of their systems and information. Fortunately, federal IT leaders have two maturing programs designed to address those concerns: the Federal Risk and Authorization Management Program (FedRAMP) for ensuring security in the cloud, and the Continu- ous Diagnostics and Mitigation (CDM) program for more quickly finding and fixing IT security risks. Each has their own priorities and particulars, which has kept them separate and distinct in the minds of many IT managers. But now is the time for agencies to begin viewing FedRAMP and CDM in tan- dem and thinking about how they can work in concert. By considering their linkage, agencies can chart a path that unites the dual demands of improving their security while also embracing the cloud. Clouded reality — then and now Despite all the benefits and efficien- cies that have been touted for consoli- dating systems in the cloud, federal executives still need to be convinced that their sensitive data can be ade- quately protected. In reality, a good case can be made that today’s cloud service providers (CSPs) are able to do an equal or better job of securing government data than many agencies can do for themselves. For one thing, CSPs are more expe- rienced in cloud security because that’s the focus of their business, and they’re using more mature and proven risk management processes. Furthermore, FedRAMP relies on a highly technical and comprehensive assessment (based on the National Institute of Standards and Technol- ogy’s 800-53 set of security controls) to ensure that third-party CSPs meet government security standards and appropriately manage information risk. FedRAMP officials raised the bar for cloud security when they released a draft of a new certification last year that provides the strongest authoriza- tion level yet for putting more sensi- tive data in the cloud. Establishing a higher baseline to protect sensi- tive data and personally identifiable information seems logical, but what’s less obvious is that requiring a higher authorization level for storing sensi- tive data in the cloud also aligns with and enables the direction of the CDM program. Continuous monitoring: From premises to cloud Federal IT managers have gotten on board with continuous monitoring and moved from compliance-based security efforts to more agile, real- time risk management to find and fix vulnerabilities before they are exploited. In the past year, the Department of Homeland Security has been launch- ing CDM Phase 1 tools for agencies to manage their IT hardware and software assets, configuration set- tings and vulnerabilities. Those tools have mostly been in the form of prod- ucts and software licenses. But inter- estingly, for the last grouping of 40 smaller agencies (task order 2F), DHS BY PATRICK D. HOWARD By considering the link between the two programs, agencies can unite the demands of improving security and embracing the cloud FedRAMP and CDM: A dual path to security in the cloud DrillDown 30 March 15, 2016 FCW.COM SHUTTERSTOCK 03156fcw_030-032.indd 30 2/18/16 3:15 PM
March 30, 2016