Site icon

The Impact of Executive Order 14028 on FedRAMP

Government responses to evolving security threats have, to more or less a degree, started to incorporate advanced mitigation postures that reflect a world of networked systems and complex digital supply chains. 

To address this changing landscape, the president issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity.” This 2021 order introduced a zero-trust approach to security and stricter requirements for authorization processes and baseline requirements. 

This article will discuss how some aspects of this executive order are impacting or will impact, FedRAMP Authorization for cloud service offerings. 

 

What Is Executive Order 14028?

EO 14028 introduced stricter requirements for government agencies, emphasizing data protection by requiring these agencies and their partners to adopt zero-trust infrastructure. 

While there are some specific details included in 14208 around implementation and expectations (which we’ve written about previously), the overarching goal is to align the government and its supply chain such that it may better resist threats presented by attackers, specifically Advanced Persistent Threats (APTs). 

 

What Is Zero-Trust Security?

“Zero trust” is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and must verify anything—everything trying to connect to its systems before granting access.

The zero trust model follows several fundamental principles to ensure the network’s security. 

These principles include:

These principles work together to provide a holistic approach to network security, ensuring that every access request is fully authenticated, authorized, and encrypted before it’s granted.

 

The Impact on FedRAMP

According to the FedRAMP website, a critical document for implementing this order is Memorandum 21-31 (M-21-31). This document guides taking existing security standards and tools and modernizing them into a zero-trust framework. 

However, this doesn’t translate into a needed action for CSOs already meeting their FedRAMP Authorization. What it means is that these CSOs, when working with an agency with zero-trust requirements, must meet those requirements per that agency’s RFP. 

These are particularly important as it relates to a few specific controls in NIST SP 800-53 (Revision 5):

 

What Are Key Components of a Zero-Trust Architecture?

With the requirements mentioned earlier for zero-trust systems, an organization can begin to map standard controls into its FedRAMP Authorization plan. 

Some of the common controls, processes, and procedures for a comprehensive zero-trust system include:

By implementing these strategies, a cloud service provider can integrate zero-trust architecture into their product offering, providing a more secure and trustworthy service for their users.

 

Integrate Zero Trust Principles Into Your FedRAMP Authorization with Lazarus Alliance

If your cloud offering is facing specific needs and challenges based on this executive order or the demands of your sponsoring agency, then you’ll need a partner to ensure you meet those requirements. That partner is Lazarus Alliance.

[wpforms id=”137574″]

Exit mobile version