The Federal Risk Management and Accreditation Program, otherwise known as FedRAMP, is an independent accreditation process that allows cloud providers to align their security postures with standards deemed acceptable by the U.S. government. FedRAMP is still quite new, but is already having an important effect on organizations' cloud security assessment processes.
"[FedRAMP] takes away a lot of the pressure or mystery on what to evaluate," said Tony UcedaVelez, founder and managing partner with application security consultancy VerSprite. "It does facilitate the notion that security has been taken care of. That in and of itself is also a weakness."
In this video, UcedaVelez discusses the pros and cons of FedRAMP, and how to avoid using FedRAMP as an excuse to avoid examining the security capabilities of cloud service providers. He also discusses why FedRAMP may suffer from some of the same drawbacks of the Payment Card Industry Data Security Standard, and how to ensure due diligence when evaluating cloud provider security. Finally, he touches on how non-government organizations seeking secure cloud services can benefit from FedRAMP.