Your example doesn't give details so it doesn't mean much.

First FedRAMP high is extremely strict. Most ATOs are NOT for FedRAMP high. Most people are good with a FedRAMP moderate.

Also, this doesn't mean the security controls are what stopped those other environments from being hacked. The other systems are just separate, that's why they weren't hacked with everything else.

Overall I think FedRAMP is good, because it at least gets somewhat of a baseline. But the other guy was pretty spot on. The auditors generally have no idea what they're looking at, there are a lot of security controls that don't make sense under many contexts and it is mostly a dog and pony show.

And really, it's not like these departments didn't have some type of due diligence to acquiring software, FedRAMP just makes it standardized and allows departments/agencies to piggyback off of other department/agency's due diligence.

The dog and pony show isn’t the point. Most companies are not blatantly committing fraud, especially against the federal government. It’s just not worth it. The process of thinking about the controls and speaking to them itself results in demonstrably more secure operating environments.

I worked extensively on fedramp compliance at multiple places include top cloud providers and banks. It’s considered the high bar standard globally and other than Australia IRAP the baseline that if you can meet it you satisfy almost all other compliance programs, so it’s the key program to meet.

Compliance is always a dog and pony show. It’s how you show your dogs and ponies to auditors whose job it is to judge your dog and pony. You get a fairly broad selection of auditors and there’s definitely a theatre to the compliance process. However it doesn’t mean you don’t do the work then pretend you did, because being found in non compliance - or worse willful non compliance (by treating it as a dog and pony show intentionally) - has serious consequences. The willful version is criminal.

The practices required are frankly what most people versed in security practice baseline. Most software however is written by people who don’t know much about security, aren’t particularly skilled, and are managed by managers who care less and know less. The people who know and agitate for better are treated as ivory tower non-commercial people and are managed out to other presumably better companies with less influential products because they spent time of security instead of feature grab.

I read the post and it talked a lot about accelerating fedramp by focusing less on compliance and more on security, which is like saying the bank is focusing more on a nicer vault and less on making sure the money is still there. It also lauded the enormous amount of integration of xAI into the program, which is essentially corruption at best, and transfer of massive amounts of sensitive security disclosure to an entity of poor repute for integrity. (See their methane gas turbine willful non compliance in Nashville). Everything I read made me remember this is the administration trying to jail Krebs for telling the truth.

My experience with it was most of time, there was a ton of truth stretching going on. Similar to SOC2 compliance. If a system couldn't be brought into compliance, a ton of stories why it was not in scope or compensating control was adequate.

Yes, there is criminal penalties but I haven't heard of them being enforced outside someone just outright lying.

Yes. But my point is the burden of compliance causes at least that much effort. Vibing security and calling it done with a rubber stamp is insufficient because even requiring an audit people try to fudge around the edges. Without a detailed audit with high compliance expectations you’ll just get outright lies by default.

I feel like certification is worse. People fudge the truth, get the certification, get compromised and because they had certification, no meaningful action is taken. InfoSec problem is not lack of "certification" but lack of consequences.

in fedramp you can get delisted from marketplace and your certification revoked and get banned from doing another certification

> because being found in non compliance - or worse willful non compliance (by treating it as a dog and pony show intentionally) - has serious consequences. The willful version is criminal.

this had big effect on implementation project that I did. After legal made training about fedramp legal aspects, people started to take it very seriously.

The article points out this is just due to it being a separate system. If anything, your argument is one against cloud computing and SaaS where your data is intermingled with everyone elses.

It’s a separate environment with STRICTER security requirements. That’s the point….

Where does it say that the FedRAMP was not affected due to stricter security requirements?

okta was hacked through employee credentials stored in private google account that got compromised.

fedramp requires two factor authentication with second factor been physical token