Mathias Rosenthal - Fotolia

Is the FedRAMP certification making a difference?

There was speculation in the security world over whether the FedRAMP certification would be helpful or not. Now that it's in full use, Mike Chapple looks at the state of FedRAMP.

What's the latest update on the FedRAMP certification? A year ago it was still a relatively new standard and there was some concern as to whether or not it would be helpful. How has FedRAMP cloud security compliance played out?

FedRAMP is ramping up! (I'm sorry, I couldn't help myself.) The Federal Risk and Authorization Management Program launched in 2012 with the intent of standardizing security assessments across the federal government. IT managers throughout the government hoped the program would help streamline the process of evaluating and selecting service providers as government agencies moved to adopt cloud computing. Cloud service providers had until June 2014 to submit their applications for FedRAMP certification.

To date, many major service providers, including Amazon Web Services, Microsoft Azure and Oracle have become FedRAMP certified and can now be used by federal government agencies. The adoption of their services by the federal government is one sign of the program's success.

That said, some of FedRAMP's success falls outside its intended sphere of influence. Cloud service providers often cite FedRAMP certification in their sales pitches to private companies, and many security professionals around the world look to this certification as a sign that a cloud provider takes security seriously and is willing to invest the talent and financial resources required to become FedRamp certified. 

It's likely that there will be an increased growth of FedRAMP-style certification programs in the private sector as businesses around the world seek to get their arms around the difficult problem of evaluating the security posture of a wide variety of cloud providers. As organizations increase the number of providers they work with, it becomes increasingly difficult to perform assessments independently. As a result, shared certification programs promise to perform more thorough assessments in a more cost-effective manner by sharing the costs across a large number of customers.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out if FedRAMP security controls are really enough

Learn if FedRAMP can influence broader cloud computing standards

Check out this comparison between FedRAMP and FISMA

This was last published in January 2016

Dig Deeper on Compliance