make a good business better

Blog Information Security

Print Divider Print Divider Branding

PODCAST: Keeping your head in the cloud with FedRAMP and LBMC's Sese Bennett



Social Logo Social Logo Social Logo Social Logo

As the former Chief Information Security Officer for the State of Tennessee, Senior Manager for LBMC’s Information Security Sese Bennett has tackled an initiative or two, including initiatives to move state government to a cloud-based system. Today, he’s working to do the same on a federal scale. LBMC’s Information Security group works with clients in the federal space to integrate information into cloud-based systems under the Federal Risk and Authorization Management Program, commonly known as FedRAMP.

With the announcement of the Cloud First Initiative in 2010, FedRAMP,  a government-wide collaborative effort, aims to enact a series of security assessments and monitoring practices on cloud-based systems in the federal government. The goal of the initiative is to achieve better scalability, elasticity and cost-saving measures in the transition to the cloud service.

“The recipe for success is selecting the right tool, implementing it correctly, and working with the right organization that understands your needs, understands the capabilities of the cloud, and knows how to match those up to produce a successful implementation,” Bennett said.

Recently, the focus for the program has been on speeding up the certification process, allowing for federal agencies to move to the cloud faster without compromising security. The faster certification process drops the accreditation period from 12-18 months to only six. This process will provide a consistent approach for evaluating a cloud solution, understanding its capabilities, and for implementing it securely.

When looking to move to the cloud, it’s important to keep two things in mind: First, the contractual obligations of moving data to the cloud and, second, classification of data. “Without those contractual requirements, you don’t have ownership of who owns certain security aspects of that data,” Bennett said.

“Contractual obligations require the adopting organization to ensure there are no gaps in responsibility between the cloud service provider and the organization’s policies that are not covered by the resulting contract. Classification requires adopting organizations to evaluate data for the impact of its compromise if something goes wrong in cloud adoption,” Bennett said.

None of this comes without challenges. Previously, the FedRAMP program focused on evaluating documentation first with capabilities coming in second. The new approach will require that organizations to be able to demonstrate how their capabilities comply with FedRAMP upfront. In the end, however, this may prove as much a benefit as a challenge. FedRAMP encourages organizations to implement security controls in a way that consistently meet the rigorous security requirements that Bennett said meet or exceed those of traditional systems.

For more information on FedRAMP, visit its site online at For more information on how LBMC is getting involved, contact Bennett at