This program is presented by Maximus
Brian Conrad, the acting FedRAMP Director and Program Manager for Cybersecurity at the General Services Administration, discussed the future of FedRAMP, the feedback from stakeholders, and the upcoming changes to enhance the program's efficiency and relevance.
- FedRAMP Evolution: FedRAMP is currently at a saturation stage, where its value is well-recognized by agencies and cloud providers. However, there's a continuous effort to grow and evolve the program, keeping in sync with modern demands and technologies.
- Stakeholder Feedback: The program seeks a broad range of comments from all its stakeholders, which includes not only the agencies and GSA but also industry partners, third-party assessors, and cloud providers. Feedback primarily focuses on speeding up processes, increasing efficiency, and addressing specific pain points.
- Automation & Modernization: A key focus for the next phase of FedRAMP is the incorporation of automation to expedite the authorization process. Collaborative efforts with NIST aim to streamline the intake of security artifacts and validate packages before they are presented to the government.
Neil Kronimus, Senior Vice President of Technology Strategy and Solutions at Maximus, sheds light on the evolving landscape of FedRAMP. With the growing importance of data security and the rapid adoption of cloud services, both agencies and companies grapple with new challenges and seek more efficient and collaborative ways to secure data and serve their missions.
- FedRAMP's Changing Landscape: With increasing companies aiming for FedRAMP authorization, there's a notable backlog. Emphasizing automation and faster routes to authorization can better serve agencies and citizens. The original intent of FedRAMP was to achieve an ATO (Authority to Operate) that could be reused by different agencies, a vision not fully realized today.
- Hybrid Multi-cloud Evolution: Initially, FedRAMP and cloud services primarily focused on storage. However, the advent of hybrid multi-cloud models offers agencies flexibility and scalability, allowing them to pick and choose services from various cloud providers while retaining some data on-premise. With this flexibility comes the added challenge of managing security across multiple cloud providers, making FedRAMP's role even more vital.
- Data's Growing Importance: The explosion of data in recent years has transformed the cloud from just a storage solution to an essential tool for agencies to convert data into actionable insights. This shift demands robust security measures, as data is sourced from a myriad of locations. Looking ahead, continuous monitoring, greater collaboration with FedRAMP, and widespread education are crucial for ensuring the safety and efficient utilization of this data.
Deputy Director of the FBI, Paul Abbate, highlights the increasing complexity of threats, especially the blurring lines between nation-states and criminal entities. The involvement of major nation-state actors such as China, Russia, Iran, and North Korea, and their collaborations with criminal groups is emphasized. Deputy Director Abbate also touches upon the utilization of advanced technologies like Artificial Intelligence (AI) by these threat actors and the efforts made by the FBI to stay ahead of them. Furthermore, he speaks about the importance of fostering partnerships with the community, intelligence agencies, law enforcement, and the private sector to tackle these threats effectively.
- Hybrid Cyber Threats: There is a growing trend of hybrid threats where nation-states collaborate with criminal entities to conduct cyber espionage, influence operations, and other malicious activities.
- Leveraging Advanced Technologies: Both adversaries and defense entities are leveraging advanced technologies such as AI to improve their operations. While adversaries use it to enhance the effectiveness of their attacks, the FBI uses it for data aggregation, analysis, and tasks like language translations.
- Importance of Trust and Collaboration: Building trust and strengthening partnerships, especially with the private sector, is crucial for preemptive actions against cyber threats. This mutual exchange of information helps in early identification of threats and prevention of potential harms.