Has anyone ever heard of a security breach of a Fedramp moderate or higher authorized environment? I mean the parts that are authorized.

@jerry You mean other than the recent MS thing?

@buherator you mean the news about how their fedramp ATO was pushed through?

@jerry yes + they had that likely related fuckup with the not-really-revoked cert, resulting in the compromise of their gov cloud.

One thing I did not realize, while Doge was running around last year, they cut the fedramp budget in half and that’s apparently where the 20x program comes in. That used to be an incredibly invasive assessment process taking over a year and now the apparently do them in 5 weeks. I can see no way this will end in disaster.

@jerry they are probably using ai? they have the money, they have the technology. the govt is always behind and terrible at implementing systems, any degree of beneficence or smooth roll outs are basically impossible, blame politics and red tape; this view is even more amplified now in the partisan atmosphere we have currently, i see no way this is not going to end in disaster. #indubitable #the merry go round

@buherator @jerry
That, plus they never really figured out how that root cert in commercial azure was stolen, only theories; and outsourcing the maintenance of gcch to China.

@jerry

Having close friends who have worked on both sides of FedRAMP assessments, as with a lot of compliance regimes, I'm just not convinced the effort and expense involved with them translate directly to better security outcomes.

That's not to say that we should cut or scrap them, but rather that compliance programs themselves should be subjected to the same scrutiny that they impose on others.

@jerry thanks for the nerd snipe ... every example i'd thought about offhand could get knocked out by one of these

was the root cause of a breach in the customer side of the shared responsibility matrix? i'd reckon this is the majority of failures. if you leak an api key to a service with an ATO, it works just as good as one that doesn't.

did the vendor, auditor, and sponsor all understand the requirements? everything about FIPS cryptography is a frequent offender here.

is there an applicable standard and how is it applied to your tech? what standards apply to containers is a rabbit-hole

does anyone care? not to make the joke about MSFT's digital escort program, but ... it does make itself