Blog

FedRAMP and Federal Cybersecurity Market Roundup August 2023

If federal cybersecurity were a play, regulatory programs such as FedRAMP would be like the directors helping to guide all of the participating actors properly execute their parts and bring the vision to life. And with the spotlight growing brighter due to the mass digital migration, evolving tech landscape, and expanding threat environment, they recently brought in some new stage managers to help. 2nd Meeting of the Federal Secure Cloud Advisory Committee (FSCAC)  In compliance with the FedRAMP Authorization Act of 2022, the General Services Administration (GSA) established the Federal Secure Cloud Advisory Committee (FSCAC), an alliance of 14 private and public sector representatives stemming from companies such as Google to agencies such as the Defense Information Systems Agency. According to the Federal Register, FSCAC’s purpose is to “provide advice and recommendations to the Administrator of GSA, the FedRAMP Board, and agencies on technical, financial, programmatic, and operational matters regarding

Read More »

stackCast Episode #2: Evgeny Gervis, CEO at SafeLogic

https://youtu.be/nRqtoTR68_w On a new episode of stackCast (powered by stackArmor), host Martin Rieger, Chief Solutions Officer & CISO at stackArmor, welcomes the CEO at SafeLogic, Evgeny Gervis. The two discuss: The important aspect of cybersecurity for business, especially those dealing with the United States government and any other entity that requires cryptographic software validation How SafeLogic is revolutionizing the approach to achieving FIPS 140 validation How SafeLogic supports customers who are dependent upon someone else’s cryptography and what that process looks like To learn more about SafeLogic and how their FIPS 140 validation-as-a-service streamlines the process of achieving and maintaining FIPS 140 validation for encryption, please visit www.safelogic.com. You can also listen to the episode here. About stackCast: Welcome to stackCast, powered by stackArmor, your go-to source for all things related to cloud security and cybersecurity compliance. Hosted by Martin Rieger, Chief Solutions Officer & CISO at stackArmor, the series

Read More »

stackCast Episode #1: Introduction to stackArmor with CEO and Founder, Gaurav Pal (GP)

https://youtu.be/iF8JDGpzTHsWelcome to stackCast, powered by stackArmor, your go to source for all things related to cloud security and cybersecurity compliance. Host Martin Rieger, Chief Solutions Officer & CISO at stackArmor, kicks off the series with Gaurav Pal (GP), CEO and Founder of stackArmor, who shares:  The vision behind stackArmor and challenges they faced early on How they put the NIST security controls at the center of their universe The importance of cloud security and compliance The evolving security framework and future of the federal cloud security industry  To learn more about stackArmor and how they can help you with your compliance needs or anything cloud related, please visit www.stackarmor.com. You can also find stackArmor on: LinkedIn: https://www.linkedin.com/company/stackarmor/ YouTube: https://www.youtube.com/channel/UCS2dl2kpZ5PBA6BzBtiJu3g You can also listen to the podcast here. 

Read More »

Securing an Agency Sponsor for FedRAMP Agency-Sponsored ATO

Obtaining a mandated Federal Risk and Authorization Management Program (FedRAMP)  Authorization to Operation (ATO) is increasingly important for Cloud Service Providers (CSPs) who wish to make Cloud Service Offerings (CSOs) available to federal government agencies. The FedRAMP Authorization Act codifies the security and compliance requirements for commercial CSPs as they increasingly shift away from on-prem deployment models in favor of cloud-based service delivery models. The journey to FedRAMP authorization begins by understanding and embracing the requirement to secure an agency sponsor. Securing an agency with the willingness to become a CSPs partner and help shepherd them through the authorization process can be a daunting task. In FedRAMP, There are two paths to sponsorship – an Agency sponsorship to obtain a FedRAMP ATO and a Joint Authorization Board (JAB) sponsorship to obtain a Provisional Authorization (P-ATO). Given the JAB’s limited bandwidth, specific government-wide use, and business-case-centric qualification criteria, the majority of

Read More »

Navigating a JAB Provisional ATO (P-ATO)

Achieving a FedRAMP Authority to Operate (ATO) is a mandatory requirement for cloud service offerings (CSOs) that hold federal data. If you have software (or infrastructure or a platform) that is offered as-a-service and government agencies are your target customers, your cloud offering will be required to obtain and maintain a FedRAMP P-ATO. An ATO is evidence that your cloud offering has met and continues to operate in alignment with the high standards set forth in the FedRAMP cybersecurity controls baselines. JAB – FedRAMP’s Joint Authorization Board The FedRAMP program is governed by the Joint Authorization Board – otherwise known as the JAB. The JAB includes the Chief Information Officers (CIOs) from the Department of Defense (DoD), General Services Administration (GSA), and the Department of Homeland Security (DHS). Each of the three agencies has a team of technical reviewers (TRs) committed to the program’s objectives. The JAB is supported by

Read More »

Streamlining Federal Cybersecurity Requirements [Federal News Network]

With updates such as the latest revision to the National Institute of Standards and Technology Special Publication 800-53, navigating CMMC, FedRAMP, SP-800-171, and FISMA is more important than ever. Martin Rieger, the Chief Solutions Officer at stackArmor, joined Federal News Network to discuss the mistakes companies often make in tackling this process, what introduced changes mean for authorizations, why budgeting and planning for continuous monitoring will be critical, and more. Watch stackArmor’s Martin Rieger interview with Federal News Network here.  https://youtu.be/_K9hml0pSus

Read More »

Keeping Up with FedRAMP: Baseline Updates, Inaugural Members of the FSCAC, and More

In the words of Winston Churchill, “To improve is to change; to be perfect is to change often.” While it’s likely that collectively as business owners, policy drivers, and industry experts, we will never absolutely perfect the task of shielding government organizations and federal agencies from experiencing some sort of cyber vulnerability, we can certainly keep evolving the approach to protect them the best we can. And if introducing updates often is the path, then FedRAMP is on track. Coming off of significant milestones such as hitting its 300th ATO and witnessing a 50% increase in the number of CSOs authorized at the High impact level, the program is already announcing other updates and launching new initiatives. So, let’s catch up with what is going on in the world of FedRAMP. The FedRAMP Joint Authorization Board Approves Rev. 5 Baselines We begin with the approval of the FedRAMP Rev. 5

Read More »

It’s Official – FedRAMP has moved to Rev. 5

  As of May 30, 2023, FedRAMP has officially approved and adopted the new Rev. 5 baselines – aligning with the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) Rev. 5 baselines that went into effect in September of 2021. Cloud Service Providers (CSPs) with existing authorizations, those who are mid-process, and those looking to achieve a FedRAMP authorization for the first time will all be required to align with Rev. 5 baselines. What Changes Can CSPs Expect? The new baselines include both new controls and required changes to a number of existing management, operational and technical controls across multiple control families. While FedRAMP has provided a complete workbook outlining the exact changes for each control in the new baselines, general changes include: Control language that is more directive and outcomes-centric throughout; A new Supply Chain Risk Management (SR) control family (taking the total number of families

Read More »

The Sky’s the Limit: The Growth of FedRAMP Compliant Cloud Service Offerings

As you’ll recall from our last post, FedRAMP just soared to a major milestone – 300 FedRAMP Authorized Cloud Service Offerings (CSOs). Beyond marking a noteworthy tally, this is a monumental achievement because it means that federal agencies now have reused these cloud services over 4,500 times! In the days and months to come, agencies will have access to even more CSOs than ever before, which comes with a few trickle down effects. The Benefits of More CSOs For one, more CSOs translates to more options for federal agencies. In turn, the team at FedRAMP points out that this makes the market more competitive and paves the way for lower pricing (a challenge that we also highlighted in our previous post). Plus, this record figure catapults FedRAMP further into its trajectory of growth. Growth has been a key trend for FedRAMP, especially over the past two years. Within that time

Read More »

What is FedRAMP Compliance? Understand the FedRAMP Certification and Compliance Process

What is FedRAMP P-ATO? FedRAMP Compliance and Certification Steps Explained The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that promotes the adoption of secure commercial cloud services across the federal government. The FedRAMP program streamlines the acquisition of cloud services by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information. FedRAMP compliance is a requirement for commercial cloud service providers (CSP) looking to provide s a security and compliance accreditation requirement for commercial cloud service providers looking to sell their solutions to US Government agencies. FedRAMP certifications are managed by GSA which is a US Government agency takes with operating the program. Federal agencies select and procure commercial cloud services based on their security requirements that are based on specific

Read More »