FedRAMP Accreditation Key to Helping Federal Cloud Migration
The federal government has been slowly migrating its IT capabilities to the cloud by outsourcing services to contractors. Those contractors need to meet strict requirements under the Federal Risk and Authorization Management Program (FedRAMP).
While difficult to get, FedRAMP authorization is an important step for companies seeking to help federal agencies migrate to the cloud, Jon Green, chief security officer with Aruba Networks told SIGNAL Magazine Editor in Chief Bob Ackerman during a SIGNAL Executive Video Series discussion.
FedRAMP authorization is important for Aruba’s government customers because it allows them to get the same benefits the company commercial clients have enjoyed, namely the ability to move to a cloud-based network management architecture.
This new capability also reflects ongoing changes in the way the federal government has done business for the past several decades. Namely, moving away from on-premise network management by appliances and software managed by the customers themselves to a contractor-managed cloud-based service.
“All those disadvantages of having to do on-premise maintenance disappear with that because it’s now our problem to resolve,” Green said.
The move has other value in that FedRAMP is an evolving program and many agencies still haven’t been able to take full advantage of its capabilities, he added. One thing it did was change the accreditation model for how IT services can be consumed.
“The idea being that one agency goes through an ATO (authority to operate) and other agencies can then take advantage of that same ATO,” Green explains.
Being authorized on the FedRAMP marketplace tells organizations that a particular ATO was successfully achieved, setting the accreditation bar lower for other agencies wanting to adopt the same solution in terms of the work they have to do to get accredited, he said.
But getting FedRAMP accreditation can be challenging. Green noted that Aruba was surprised by the detail and complexity required and the steps taken to make sure contractors don’t simply handwave requirements.
“They’re pretty serious about making sure things are enforced,” Green said.
Additionally, following the SolarWinds hack by Russian intelligence agents and other cyber attacks in 2021, FedRAMP changed its rules, making mandatory many requirements that were previously optional.
To meet authorization requirements, Aruba contracted a third party assessment organization (3PAO) certified to help cloud service providers and government agencies meet FedRAMP compliance regulations. The entire process took Aruba two and a half years.
“It’s a lot of detailed work,” Green said.
One of the surprises Aruba encountered on its way to accreditation was that encryption between components of a cloud service in the form of TLS encryption became mandatory.
“If encryption is part of the native part of the design between components, then you don’t have to worry about that and we don’t have to worry about things suddenly becoming noncompliant when you shift it around,” Green said.
Aruba’s FedRAMP certification allows it to help its federal customers migrate cloud based services and to scale up capabilities to meet a range of requirements.