When the internet was introduced to the public in the late 1980s no one knew it would be what it is today. The internet and all its web applications weren’t build with security in mind. Now many years later we have to work to close those security gaps and minimize and even terminate any and all vulnerabilities that we have. The question that we will be answering today is “How does FedRAMP help agencies ensure the security of digital government services?” In order to answer this question we need to understand a few other things such as what is FedRAMP, what is meant by “Digital Government services” , and how FedRAMP contributes to improved security for Digital Services. Answering these questions effectively will get us the answers we are looking for to better understand FedRAMP.
FedRAMP Risk Management Program Discussion
” Digital government is typically defined as the production and delivery of information and services inside government and between government and the public using a range of information and communication technologies (Fountain, 2015).” This is the use of electronic communications devices, computers and the Internet to provide public services to citizens and other persons in a country or region. The acronym FedRAMP stands for Federal Risk and Authorization Management Program. “FedRAMP is a risk management program by which the U.S. federal government determines whether cloud products and services are secure enough to be used by federal agencies (Fruhlinger, 2018).” FedRAMP was created ultimately to support the government’s cloud computing plan. This program was intended to facilitate the adoption of cloud computing services among federal agencies by providing cloud service providers or CSPs with a single accreditation that could be used by all agencies. The goal of FedRAMP is to reduce the time and money that individual agencies would otherwise have to spend on assessing a cloud’s security (“What is FedRAMP (Federal Risk and Authorization Management Program)? – Definition from WhatIs.com”, 2019) . This way not only does it help improve security for digital services, but it also saves money.
Now that we understand that digital government services show how the government delivers services to the public and that FedRAMP is a risk management program to ensure services are safe for federal use, we can answer the ultimate questions how they help and work with one another. There are several different ways that the FedRAMP works with many agencies at critical stages of the authorization process, as well as during continuous monitoring (post ATO) to ensure that they have all of the information they need to make the appropriate risk-based decisions for their organizations (FedRAMP, 2017). A few of the different ways that the FedRAMP works with government are:
– Cloud transition support – Most agencies are transitioning to Cloud Service Providers (CSPs) and requires a lot of strategic planning and coordination, and FedRAMP often provide guidance to Agencies as they make the move
– Inter-Agency Collaboration – Convene with agency representatives at so they can collaborate and share their best practices and lessons learned. Additionally, FedRAMP meets with multiple agencies every day, and based on their unique challenges in moving to the cloud, we pair them up with other Agencies who were able to successfully overcome similar situations.
Lastly, I would like to talk about the digital services playbook. It is a book of 13 keys to will help government build effective digital services. Looking into play number 11 is the mmanaging of security and privacy through reusable processes, which explains what specifications and rules that need to be followed while designing new digital services. It has a checklist of 6 different steps that lays out what is needed to happen in order to deploy scripts to ensure configuration of production environment remains consistent and controllable (“The Digital Services Playbook — from the U.S. Digital Service”, 2019). There is also 6 questions that include, does the services collects individuals PII and how is it shared, if the individuals PII is being used are they notified, and a few other key questions.