FedRAMP May Replace Defense Department Cloud Classification Process
The Federal Risk and Authorization Management Program (FedRAMP) may ultimately eliminate the need for an information security classification process specific to the U.S. Defense Department, according to Teri Takai, Defense Department chief information officer. FedRAMP seeks to provide a governmentwide, standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. Takai voiced full support for the program on April 2 at the Security Through Innovation Summit, Washington, D.C., presented by Intel Security.
The Defense Department, Department of Homeland Security and Department of Justice are all supporting the program, she reported. “It’s important to emphasize that DOD, DHS and DOJ are in lockstep on support of what FedRAMP is doing. In fact, we’re all putting resources in to make sure that FedRAMP works. It is fully the intent for DOD to use the FedRAMP capabilities,” Takai assured the audience.
She added that currently, FedRAMP requires one process for classifying information, while the Defense Department uses another as required by the cloud broker at the Defense Information Systems Agency. “We’re working with FedRAMP and asking them to adopt things that we feel are important, as well as really trying to conform. “In the future, what would be ideal is that we would classify top secret information in FedRAMP and not have to use the DOD classification,” she said. “I see this as an evolution and as something that’s going to continue to happen over time.”