How FedRAMP could boost agencies' trust in the cloud

The Federal Risk Authorization and Management Program, due to be released in a few months, will go a long way toward establishing a trusted relationship between agencies and their cloud providers, a senior scientist with the National Institute of Standards and Technology told a Washington audience.

If federal agencies are going to outsource applications or hardware to cloud service providers, they need to trust that the provider can enforce the security policies the agencies have to comply with, Ron Ross, senior scientist and fellow with NIST, said at a summit on the federal data center revolution, Sept. 13.

“There has been an artificial concern about the ability of cloud service providers to do security, as well as the federal government,” Ross said. However, federal agencies are struggling with information and network security issues just as much as the privates sector, he said during a panel discussion at the summit, which was sponsored by Juniper Networks and MeriTalk.

Cyberattacks are sophisticated, and there is a lot more complexity within information networks now. The cloud and the FedRAMP program, in particular, are going to help government and industry manage that complexity, he said.


Related coverage:

Would automated cloud security catch a 75-cent error?


FedRAMP is an interagency initiative led by the General Services Administration to provide a government-wide certification process. The aim is to reduce costs and duplication when multiple agencies attempt to certify products and services for security compliance.

FedRAMP, which consists of specifications for security requirements, has several important elements, Ross said.

To build trust, appropriate expectations have to be established for cloud providers. Then they have to be allowed to innovate in order to bring the most cost-effective solutions to their data centers and agencies’ cloud applications.

To verify that they have done their due diligence with regard to security, the FedRAMP program will include a conformity assessment program. Within this program, third-party assessment organizations will go through rigorous testing to ensure that they have the appropriate skills to assess whether or not cloud providers comply with the security controls required by FedRAMP.

These independent assessment organizations will gather the evidence to let the cloud provider and federal government know the current security state of the provider’s information systems. If there are any gaps, the proper risk-management decisions can be made.

"The power of the FedRAMP program is that you can deploy a single set of requirements to a single cloud service provider” and every federal agency can take advantage of those cloud services whether they are infrastructure-, platform- or software-as-a-service, Ross noted.

No longer will agencies have to deal with the old certification and accreditation process, where they had to assess the security state of every system and make risk-management decisions.

“We were doing that for every single system in the federal government at great expense,” he said. However, now the government can use the evidence produced by the independent assessment organizations.

“That is the power of innovation; it is the power of the public-private partnership,” he said.

“I think that at the end of the day, if you do an effective cloud deployment where you can reduce IT costs from 5 to 40 percent, that provides us a double benefit – reduced cost and complexity and better cybersecurity,” Ross said.

Ross responded to a question, posed by David Mihelcic, chief technology officer of the Defense Information Systems Agency, on how FedRAMP will be revised to deal with architectural complexity.

FedRAMP security controls are based exclusively on guidelines in NIST Special Publication 800-53, which is coming up for a major revision by the end of 2011, Ross said

Now that the defense intelligence communities and all NIST constituents are using the same control catalog, NIST did a data call and got more than 1,000 recommendations to update the catalog in various specific areas, Ross said. One of those areas included service-oriented architecture, he explained, noting that the focus is on new constructs and how security controls can be deployed in these environments

“We’re going to learn as we go,” Ross said, adding that FedRAMP won’t be perfect initially. “We are going to improve over time,” he said. “The security business is always changing.”

“The biggest disaster we face right now is to become paralyzed and not move forward,” Ross said.

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

Reader Comments

Tue, Sep 20, 2011 Steve Hunt NASA-ARC

The following statement in this article is incorrect: "No longer will agencies have to deal with the old certification and accreditation process, where they had to assess the security state of every system and make risk-management decisions." While FEDRAMP Joint Authorizations will provide significant service to Federal Cloud users ... it will not alleviate them of all IT Security control implementation requirements ... or the associated Assessment & Authorization responsibilities. End users will still have security control requirements on their end services that the cloud provider can not address. The number and depth of the controls will vary depending on the type of service (e.g. SAAS, PAAS, or IAAS) ... with responsibility increasing from SAAS toward IAAS. Working out how to parse the control responsibilities between those owned by the Cloud provider and those owned by the Cloud customer ... is difficult ... detailed ... and complex. This is the most significant misunderstanding that I see today throughout the conversations I see on Cloud computing ... in particular when discussing FEDRAMP and Federal Cloud customer security responsibilities. Moving to the Cloud does not alleviate customers of IT Security responsibilities or Assessment & Authorization acitivites. It reduces them ... but does not elliminate them.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above