Akamai Diversity

The Akamai Blog

Akamai University: FedRAMP 101

Akamai Edge 2014 continues today with the second day of Akamai University and API Boot camp. To coincide with this, I'm running two security lessons that are part of an upcoming video series. This is the final installment, and was written by Akamai program managers James Salerno and Dan Philpott.

FedRAMP 101

This lesson is about FedRAMP, why it was created and why it's become an important part of Akamai's security compliance process.

Akamai complies with many industry standards and regulations such as Sarbanes-Oxley (SOX), the PCI Data Security Standard and ISO. FedRAMP -- the acronym for the Federal Risk Assessment Management Program -- is one of the most recent pieces of our compliance program.

For the US Federal Government to operate a system, the system must be authorized.

For cloud computing, FedRAMP is the mechanism it uses for provisional authorizations to operate (PATOs).

The FedRAMP program is organized by the General Services Administration, which handles most of the project management for the authorization process.

However, the actual PATOs are issued by what's called the JAB, or Joint Authorization Board. The JAB is made up of the CIOs from the Department of Homeland Security, Department of Defense, and General Services Administration.

Akamai started preparing for its participation in FedRAMP two years ago. After a year and a half of preparation, the JAB granted Akamai it's PATO.

The FedRAMP authorization process requires Akamai -- as a Cloud Service Provider -- to document a variety of controls we use to secure the Akamai FedRAMP-scoped systems.

We cover controls detailing our network security, network scanning, host hardening, monitoring, physical security and many more aspects of security.

From there, our controls are tested. Unlike some security assessments, which are simply an annual check, FedRAMP requires continuous monitoring.

If we spot a problem, we are required to fix it. It's through this process that we assure FedRAMP that our system meets the goals of the program. When we submit our assessment to the JAB, it reviews it and asks questions. Akamai provides answers, and at the conclusion the JAB makes its authorization decision.

The U.S. General Services Administration lists the following goals and benefits of FedRAMP on its website:

--Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
--Increase confidence in security of cloud solutions
--Achieve consistent security authorizations using a baseline set of agreed upon standards to be used for Cloud product approval in or outside of FedRAMP
--Ensure consistent application of existing security practices
--Increase confidence in security assessments
--Increase automation and near real-time data for continuous monitoring

--Increases re-use of existing security assessments across agencies
--Saves significant cost, time and resources - "do once, use many times"
--Improves real-time security visibility
--Provides a uniform approach to risk-based management
--Enhances transparency between government and cloud service providers (CSPs)
--Improves the trustworthiness, reliability, consistency, and quality of the Federal security authorization process

That concludes our lesson for today.