As States move to the cloud: is FedRAMP the only assurance of security?

Transition to cloud is a crucial subject for government at all levels. Security is a necessary concern. A challenge for public sector entities, at any level, is how to have assurance of sufficient security. The concern grows in importance as more state or federal data is entrusted to the cloud and as more government functions are relocated to be hosted on the cloud.

I support completely the security objective. And I understand also why some state governments look to FedRAMP. It was created to enable federal civilian agencies to have an informed, consistent basis to authorize the use of cloud services. The level of security applied, generally, reflects both the importance or sensitivity of the information and the impact to the federal agency should there be compromise to the confidentiality, integrity or availability of information and the related information system.

For various reasons, some historical, but none in the nature of a "technological imperative,"  FedRAMP relies upon security principles and practices produced by NIST, notably Special Publication (SP) 800-53. FedRAMP draws from the 800-53 catalogue those controls and enhancements which are considered necessary for the level of security sought for the particular cloud implementation.

But security has a price, independent of what authorization regime is used, and the process of receiving authorization through a regime like FedRAMP can be very expensive and time-consuming.  Adding price and the burden of bureaucratic processing tends to work against some of the conceptual benefits of cloud as an alternative to on-premises systems. 

I have no objection to the use of FedRAMP as one way for states and state agencies to have sufficient trust in cloud security. But I do not believe that FedRAMP should be the exclusive means to establish security. There are many other security regimes (e.g., ISO, CSA, SANS) used by world-class cloud providers for enterprise-critical cloud applications, that seek the same results as FedRAMP but rely upon different security tools than those that happen to be articulated by NIST SP 800-53 and aggregated in to requirement sets within FedRAMP. A State government may use FedRAMP as the "benchmark" but, in my opinion, should accommodate security achieved and demonstrated by other means. This will open the door to more competition, better services, and price, etc.

In one area of federal regulation - "Covered Defense Information" - the Department of Defense has decided that it will allow its contractors to secure unclassified but sensitive federal information using cloud service providers whose security is "equivalent to FedRAMP Moderate." DFARS 252.239-7012.  This means that DoD's contractors can use cloud services from FedRAMP-authorized companies like AWS or Microsoft, but they also can use cloud from other sources where the provider can demonstrate that the security is "equivalent." The same proposition may have merit to the objectives of states, such as  California. We know, from the details of established FedRAMP baselines, what is necessary there for "Moderate." Cloud service providers who are not FedRAMP authorized can prepare documentation to demonstrate that their approach to security is "equivalent."  A State, either at an enterprise level, or even for individual procurements, can make a judgment whether to accept the offered demonstration of equivalence. Or the State could ask for improvement.  (Security decisions for a public purchaser always involve risk tolerance considerations and, necessarily, issues of cost, schedule and performance.) Recognizing FedRAMP, while allowing demonstration of "equivalence," retains the value of FedRAMP and 800-53, without excluding other CSPs whose security may be as good - and could be even better - who choose other approaches to establish and sustain cloud security.

The foregoing is subject to revision.  It reflects my personal thoughts and not the position of any organization or company that I may represent. Please do not distribute, excerpt or share without attribution.  Comments and criticism welcome.