Could updated controls from NIST drive up cloud security costs?

October 19, 2017 Douglas Barbin

Among the biggest complaints about the cloud security program known as the Federal Risk Authorization Management Program (FedRAMP) have been the cost for vendors and the time it takes to get approved.

The FedRAMP program management office has tried to address both over the last few years, most recently introducing the Tailored program for low-impact, software-as-a-service offerings last month.

But now the program management office is concerned that many of those advances could be at risk with the updated security controls from the National Institute of Standards and Technology.

In its public comments about NIST Special Publication 800-53, Revision 5, FedRAMP said the move from Revision 4 to Revision 5 could cost millions of dollars across the cloud service providers, third-party certifiers and the federal Joint Authorization Board (JAB) to update the approved cloud services and related standards.

Doug Barbin, a principal and cybersecurity leader for Shellman and Company, a 3PAO, said in an interview with Federal News Radio that while privacy was always a part of Rev 4 and previous revisions, Rev 5 brings in more of the generally accepted privacy requirements, policies and guidelines for information sharing.

Read more: federalnewsradio.com

About the Author

Doug Barbin is a managing principal and firm-wide leader for cyber security and compliance services. He works with many of the world's leading cloud computing, federal, FinTech, healthcare, AI, and security provider clients. Doug has more than 20 years’ experience and maintains multiple CPA licenses, along with CISSP, CIPP, ISO 27001 Lead Auditor, and QSA certifications. He was one of the first Cloud Security Alliance CCSK recipients and regularly trains Schellman personnel on cloud auditing, compliance, and other advanced technologies. Doug is very active in industry organizations and regularly speaks on cloud security, AI, FedRAMP, and other compliance frameworks.
More Content by Douglas Barbin

Welcome to our Hub

Could updated controls from NIST drive up cloud security costs?

About the Author

Previous Article

Next Flipbook

Could updated controls from NIST drive up cloud security costs?

About the Author

Previous Article

Next Flipbook

Other content in this Stream

Schellman Principal Doug Kanney provides an overview of the ONC/OCR SRA tool which by design helps organizations navigate the HIPAA risk analysis process.

Schellman's Grayson Taylor shares an overview of the new mapping of NERC CIP Reliability Standards to NIST Cybersecurity Framework CSF

Every industry has been forced to scale processes and adapt business models to maintain their foothold in a landscape thrown off by COVID19. At Schellman our FedRAMP 3PAO assessment process was ready.

What are the common reasons CSPs fail to achieve a FedRAMP Authority to Operate ATO in a timely manner?

US DoD has been working to revise funding procurement procedures DFARS. Most important are regulations which mandate that defense contractors meet NIST SP 800-171 standard that deals with CUI.

Schellman has performed a third of FedRAMP assessed systems and is the #2 3PAO provider.

On Wednesday July 17th, I had the distinct honor of providing the assessor perspective at a FedRAMP hearing held by the Subcommittee on Government Operations—a subset of the House Oversight Committee.

Join Schellman's Federal Practice Team as they take a step back to navigate through the more recent updates with FedRAMP and more broadly Federal Assessments.

The 2018 National Institute of Standards and Technology (NIST) Cyber Security Framework is an updated version of the first version published in 2014. Notably, the two versions of the...

Though vulnerability scanning is only one of the control requirements in FedRAMP, it is actually one of the most frequent pitfalls in terms of impact to an authorization to operate...

Government security breaches seem to hit the news every other month—keep an eye on your investments—including potential breaches caused by contractors. What may be a surprise is the...

As a Third Party Assessment Organization (3PAO), Schellman regularly conducts FedRAMP assessments for Cloud Service Providers (CSPs). Included during these assessments is a penetration...

Over the last few years, there has been a push to obtain cloud computing solutions at almost every turn. A plethora of companies continue to provide cloud services to their existing...

I am delighted that Schellman is now an accredited FedRAMP 3rd Party Assessment Organization (3PAO). This is a testament to our extensive experience in the cloud service provider (CSP) space and...