FedRAMP - The Gold Standard of Cloud Security

By Henry J. Sienkiewicz, the former CIO of DISA and CyLogic’s Board Member

Security has always been about identifying who or what can be trusted accessing data, and what they can do with that access.

Early enterprise networks used a strong walls approach, the notion of a single perimeter, akin to a moat around a castle, as the line of trust delegation. In other words, gaining access to any point of the perimeter is sufficient for establishing trust and anyone outside the perimeter is untrusted. This approach remains heavily in place today but unfortunately has fallen behind in sufficiently securing networks and data in the modern technology landscape. 

Progressively sophisticated adversaries and intentional or unintentional malicious insider behavior as well as new challenges such as cloud computing and bring your own device (BYOD) policies have made the task of securing data against threats increasingly difficult.  

The “gold standard” in risk management framework is NIST’s CSF, and its operational implementation found within the FedRAMP program

Today, the “gold standard” in risk management framework is NIST’s CSF, and its operational implementation found within the FedRAMP program. The NIST CSF is widely recognized as an effective security framework for both private and public organizations, assisting them to move from being reactive to proactive when it comes to risk management and effective security posture.  

Commercial organizations are increasingly adopting the risk management framework (RMF) found at the National Institute of Standards (NIST) and Technology’s Cybersecurity Framework (CSF). This is the approach that should be taken by every organization that is truly concerned about securing their data. 

NIST’s CSF framework’s core contains five functions: 

These functions were specifically chosen because they assist organizations in conveying their management of technological risk and enable educated risk management decisions. 

The Identify function involves having an in-depth understanding of the organization and its systems, data, people, and assets, allowing the organization to focus and prioritize its efforts.

The Protect function acts as an outline to effectively ensure the safety of assets and the delivery of architectural services, hopefully limiting the possibility or impact of a cybersecurity event. 

The Detect function is critical should there be a cybersecurity event as it highlights the activities capable of identifying the event, allowing for prompt discovery of the attack.      

The Respond function demonstrates how best to contain the impact of a security incident so that it does not escalate into a major issue. 

Lastly, the Recover function accentuates the activities appropriate for restoring any impaired capabilities or services, so that the organization can get back to normal business operations as quickly and smoothly as possible. 

The NIST’s CSF risk management framework is ideal for all organizations to implement regardless of size as it is imperative to have a consistent and well-detailed methodology for managing cyber risk. Additionally, because of the framework’s outcome driven nature, it breeds scalability - it was designed with all types of data infrastructure in mind and is extremely versatile.

In today’s environment, organizations should require, in fact demand, the highest level of security

In today’s environment, organizations should require, in fact demand, the highest level of security. FedRAMP High is the optimal implementation of the most strict NIST standards. 

As you face challenges with your current cloud services you need to look for a robust enterprise solution to securing your data. The CyCloud platform provides that solution as the practical implementation that is in a full alignment with the NIST - FedRAMP HIGH framework for enterprises.

About the writer: Mr. Sienkiewicz is the former CIO of the US Defense Information Systems Agency’s (DISA), who oversaw the DISA’s Rapid Access Computing Environment (RACE) Project, which was a reference foundation for the FedRAMP standards. He is currently on faculty at Georgetown University, instructing on cyber security. Mr. Sienkiewicz is also a member of CyLogic‘s Board of Directors.

The last few years have seen a series of high-profile breaches against large institutions, particularly in the banking industry. Many firms have been accused of being stuck in a “90’s” cybersecurity mentality believing that on premise networks, strong firewalls, and anti-virus software were sufficient to ward off most cyber-attacks.

Related Posts

Get Started

Contact Us

Get In Touch

Fill out the form below and we will contact you shortly.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.