FedRAMP: The dawn of approve-once, use-often?
A new interagency approach to security holds promise for government cloud computing
- By Wyatt Kash
- Apr 30, 2010
A new program called FedRAMP has been gaining attention in government information technology circles in recent weeks, and it’s expected to get a good deal more attention May 20.
That’s when federal information technology officials and industry executives are scheduled to meet at the behest of Federal Chief Information Officer Vivek Kundra to hash out a raft of issues that have been holding back government efforts to adopt cloud computing strategies.
One of the many issues on the table is how to streamline the duplicative process of certifying the security of applications destined to be shared by government agencies. That’s where FedRAMP comes in and why it’s expected to play a prominent role at the upcoming summit.
GSA readies acquisition of cloud infrastructure services
In essence, FedRAMP consists of a new joint authorization board and security requirement authorities as parts of a governmentwide pilot program called the Federal Risk and Authorization Management Program. The program has been in the works for many months, being developed by the Cloud Computing Advisory Council. Kundra's office formed the council, a group of government information security officials co-chaired by Peter Mell, a senior computer scientist at the National Institute of Standards and Technology.
Although officials are still ironing out final operating details — including the program’s name, several sources say — FedRAMP represents a welcome and long-overdue alternative to the relentless and repetitive work agencies must go through to certify IT systems' security.
There’s little question that the lack of governmentwide authority is one of the biggest hurdles to adopting cloud computing in government.
If an agency wants to use existing on-demand cloud computing services, such as services from Salesforce.com or the Interior Department's National Business Center, it must certify that the service meets the government's technical security requirements, even if another agency has established certification and accreditation for that service.
Under the new arrangement, a joint authorization board would review the certification and accreditation work for a cloud service. If the sponsoring agency approves the service, it would be available for use governmentwide. As configured, the board will consist of senior executives and technical staff members from the Defense and Homeland Security departments, the General Services Administration and a sponsoring agency.
If implemented as planned, FedRAMP will help lead to the development of common security requirements for specific types of systems, provide ongoing risk assessments, encourage better system integration, and dramatically reduce duplication of effort and associated costs. But perhaps most of all, it will bring a common-sense, approve-once, use-often approach that has long eluded government IT acquisition.