FedRAMP Prepares for 'Zero Trust' Stance
March 2 | 2022
The growing threat of sophisticated cyber attacks has emphasized the importance of providing secure cloud services for the federal government. The Federal Risk and Authorization Management Program (FedRAMP) plays an important role in ensuring that federal requirements keep pace with technology advances and new security threats.
On January 26, 2022, the Office of Management and Budget released a federal strategy designed to move the federal government toward a “zero trust” approach to cybersecurity. Zero trust is a set of cybersecurity principles used by stakeholders to plan and implement an enterprise architecture that authenticates and verifies all systems, users, and devices.
The zero trust strategy will enable agencies to more rapidly detect, isolate, and respond to these types of threats while serving as a roadmap for the federal government toward a new cybersecurity model. As part of this strategy, FedRAMP will specifically “assist agencies by working with cloud platform providers to clarify that federal agency customers are permitted to authorize vulnerability testing on customer operated applications and infrastructure hosted on provider platforms.”
In addition, agencies are responsible for ensuring that vulnerabilities are identified and remediated on agency applications. They also have the ability to authorize the general public to identify and report vulnerabilities in an agency application that resides within the commercial cloud offering. Independently from any authorization, the commercial cloud offering may provide the ability to the general public to identify and report vulnerabilities on the hosting infrastructure. This model is consistent with CISA Binding Operational Directive 20-01 and NIST 800-53 control RA-5 (11), included in the NIST Rev 5 800-53B baselines as well as current draft FedRAMP Rev 5 baselines.
This approach allows the public to feel safe when identifying and reporting vulnerabilities on agency applications, increasing an agency’s commitment to data integrity. This readily aligns with current federal guidance and ensures enhanced security for FedRAMP’s expanding list of agency partners.
Please contact us at info@fedramp.gov with any questions.