The General Services Administration is trying to figure out how best to integrate CDM into the Federal Risk and Authorization Management Program, says FedRAMP director Maria Roat. FedRAMP provides a standard set of baseline security controls that government and commercial cloud providers must meet to offer cloud services to agencies.
For starters, GSA must determine which stakeholders will be responsible for CDM in a cloud environment. For example, if a service provider is responsible for an Infrastructure as a Service offering and an agency installs an application in that IaaS cloud, is the agency responsible for the app’s continuous monitoring?
“We are having discussions about applying CDM in a shared services environment,” Roat says.
Current FedRAMP controls outline initial requirements for CDM in cloud services. GSA is working on an updated version of the FedRAMP baseline, incorporating controls from NIST SP 800-53 Revision 4, which focuses on continuous monitoring.