FedRAMP, Software Supply Chain Guidance & API Security New Year Updates - Ep 51

“I think with any metric, the FedRAMP program has been viewed as...."
Listen to this edition of Reimagining Cyber EXTRA and find out what Rob and Stan think about FedRAMP.
Firstly, what is it?!
“[FedRAMP’s] whole purpose is to provide a standardized government-wide approach to security assessment, authorization, and continuing monitoring of cloud products and services used by the federal government agencies.”
Plus:
- FedRAMPs codification into law via the National Defense Authorization Act (NDAA)
- Action to making the process easier for vendors and agencies.
- Establishment of the Federal Secure Cloud Advisory Committee – what is it, what’s it for?
- Why does the NDAA not make vendors provide a SBOM? Will this change?

“The crystal ball is if you are a software supplier to the government, you have to be prepared in the future to be able to provide this kind of inventory of components that make up your software build. It's important to be able to react quickly to zero-days, to be able to understand what your software consists of to be able to mitigate open source security issues and risks”

- Microsoft share how they manage supply chain risks with the Secure Supply Chain Consumption Framework (S2C2F). What does the OpenSSF think of it?

“Everything that we're talking about in cyber always somehow turns itself back around to the software. The software supply chain is the common theme that we heard through last year. It's not going to slow down this year.”

- The rise of APIs (application programming interface) as an attack surface

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via [email protected]

As featured on Million Podcasts' Best 100 Cybersecurity Podcast and Best 70
Chief Information Security Officer CISO Podcasts rankings.