3 minute read
What the EO Means for the Cloud
Cybersecurity and the Cloud Details
Presently, cutting-edge cybersecurity often features IT modernization because maintaining and securing legacy IT can prove costly, difficult and risky.
Advertisement
Yet that does not mean every agency has adopted cloud computing. The cloud decentralizes IT infrastructure to deliver computer resources such as data storage ondemand. Although this format gives agencies unparalleled flexibility and scalability, cloud migrations can take more effort than agencies initially realize.
Recognizing this, Biden’s EO prods agencies to use the cloud while acknowledging some may do so partially or not at all. While the EO hopes to accelerate public-sector cloud use, it also covers securing computer systems on premises, in the cloud or a hybrid of both models.
1. Will all agencies have to use the cloud?
According to the cybersecurity EO, different agencies are at different stages of cloud implementation. Consequently, the document’s various cybersecurity details can apply to onpremises, cloud-based or hybrid IT.
But the EO is also clear that the federal government wants to speed up its overall cloud adoption. The EO not only calls for faster federal cloud migrations, it even lists three potential models for agencies.
First up are Software-as-a-Service (SaaS) clouds, which license centrally hosted software on a subscription basis. Infrastructure-as-a-Service (IaaS) clouds decentralize IT infrastructure, while Platform-as-a-Service (PaaS) clouds do the same for computing platforms hosting agencies’ desired applications. Regardless of the cloud model involved, the EO reveals that the federal government sees the technology in its agencies’ futures.
2. How will future cloud adoptions work for agencies?
Since 2011, the Federal Risk and Authorization Management Program (FedRAMP) has authorized which cloud products and services can host federal data. By leveraging FedRAMP’s cloud security standards, the Biden administration made the program one of its cybersecurity EO’s biggest stars.
No. 1 among the EO’s FedRAMP priorities is leveraging a governmentwide strategy for federal cloud security. This strategy will try to ensure that agencies broadly understand the risks from cloud-based services and how to effectively address them.
A technical reference documenting secure cloud architecture is another goal. Once released, this resource will illustrate recommended approaches to cloud migration and collecting, protecting and reporting on data for agencies.
Lastly, the order tasks FedRAMP with identifying the cloud services and protections available to agencies based on incident severity. This framework will also list the data and processing activities associated with these services and protections.
Together, these steps ensure that agencies can adopt cloud quickly, securely and intelligently with FedRAMP’s expertise.
3. How might the EO’s cloud details transform federal agencies’ work?
The better people understand the cloud, the better the technology will benefit them. Due to the cloud’s rising prominence within the federal government, the new cybersecurity EO takes steps to inform agencies’ employees about FedRAMP.
Chief among the cybersecurity EO’s FedRAMP education opportunities is a new federal training program. Once established, this initiative will ensure that federal employees are trained and equipped to manage FedRAMP authorization requests. This learning opportunity will also include training materials and ondemand videos that inform federal workers about FedRAMP’s role in securing cloud products and services.
Someday, introducing FedRAMP tutorials to the federal talent pool could prompt state and local agencies to craft their own versions.
4. How could the EO morph state and local cloud security?
Where federal agencies go, state and local agencies will likely follow. The cloud is no different, and many state and local governments may copy their federal companions once they realize the technology’s benefits. Similarly, the way federal agencies secure their cloud products and services may become equally successful for state and local workforces.
Beyond simply adopting cloud, state and local agencies may also crave access to federal data. But to host this desirable commodity, state and local cloud environments may have to comply with FedRAMP’s security benchmarks. Ultimately, the state and local agencies that do not follow FedRAMP’s standards may miss powerful federal insights.