mattkasten
commented
6 years ago George,
Thank you for feedback in response to our December RFI. Please note that the PMO and the Secure Cloud Portfolio are digesting the RFI input from across industry and developing next steps.
FedRAMP PMO
Question/Comment on FedRamp RFI Directory
Name and Affiliation
George Nicholls, Proposals, Carahsoft Technology Corp.
Cloud Security
Please list examples of contract language that you’ve encountered from Federal Agencies that negatively incorporates various specific security requirements that relate to FedRAMP (e.g., encryption, background investigations) or additional non-FedRAMP related security requirements (such as availability SLAs, data location) and limits the availability and acquisition process of cloud products by the federal government.
A recent Request for Quotation from an agency within the Department of Health and Human Services contained several requirements pertaining to data location:
Please also provide a succinct explanation supporting your assertion as to why your company views this contract language as a bad example.
Data location requirements are outgrowths of outdated on-premise, perimeter security models, in which data was considered to be safe within an enterprise’s data center protected through heavy investment in firewalls, intrusion detection systems, load balancing, and physical network deployments. These outmoded security models have largely failed to prevent significant data breaches in every industry -- from banking and healthcare, to retailing, technology and government -- in the United States and elsewhere. While data location requirements are inconsistent with innovative cloud-based security approaches and are not mandated by FedRAMP compliance standards, they are frequently incorporated into federal contract language. Accordingly, requirements pertaining to data location should be supported by defined legal analysis and/or regulatory requirements.
Unlike legacy models, modern CSPs use innovative defense-in-depth approaches, with security designed into all layers of cloud infrastructure -- from state-of-the-art access controls at data centers, to establishing trusted hardware boot using a custom-built security chip, to multi-factor authentication of users, to encryption of data in transit and at rest, to intrusion detection and beyond. Further, modern CSOs utilize sharding techniques for storing and encrypting data in smaller elements that are spread horizontally across the infrastructure rather than on a single server or storage device. These design innovations have dramatically improved the security posture of cloud-based services and provided enterprises new and more effective tools for meeting challenges such as insider threats. The use of machine learning in monitoring network traffic and behavior patterns has also created new ways to protect information assets regardless of where they are stored around the world.
FedRAMP PMO
Please provide a suggested written example of contract language that incorporates FedRAMP into the procurement process in the best possible way for a cloud service where market research demonstrates there is a competitive range of similar vendors with existing FedRAMP authorizations.
Recently, the Administrative Office of the U.S. Courts (AOUSC) released a Request for Quotation for a cloud-based Speech-to-Text product. This RFQ contained several requirements pertaining to FedRAMP, including the following:
Please also provide a succinct explanation supporting your assertion as to why your company views this contract language as a good example.
AOUSC stipulated that the proposed software must meet a FedRAMP rating at the Infrastructure levels. Requiring FedRAMP ratings at the Infrastructure levels will improve the availability and acquisition process of SaaS applications. This will reduce the lead time necessary to bring innovative SaaS applications to market.