FedRAMP aims to authorize 3 cloud providers by year's end
The federal government hopes to have three cloud service providers accredited under the Federal Risk Authorization and Management Program to provide cloud services to agencies by the end of 2012, the General Services Administration’s Katie Lewin told a Washington audience.
The three providers applied for FedRAMP certification on the day of the launch of the program, which is designed to standardize security assessment, authorization and continuous monitoring across the federal government, Lewin said.
FedRAMP, a “do once, use many times” framework designed to save costs, time and staff required to conduct redundant agency security assessments, became active June 6.
FedRAMP about to hit the streets
Feds put some meat on FedRAMP's bones
“Our goal is to have granted three provisional ATOs [Authority to Operate] by the end of the year,” Lewin, director of the GSA’s federal cloud computing program, said during a panel discussion June 6 at the National Institute of Standards and Technology’s Cloud Computing Forum and Workshop V, held at the Commerce Department. GSA also uploaded a new document, "Guide to Understanding FedRAMP," on the FedRAMP website, Lewin said.
The FedRAMP assessment process is initiated by agencies or cloud service providers, which begins a security authorization process using the FedRAMP requirements. The requirements are compliant with guidelines and procedures in the Federal Information Security Management Act and are based on security controls in NIST Special Publication 800-53 (Rev. 3).
CSPs are required to implement FedRAMP security requirements in their products and services and hire a FedRAMP-approved third-party assessment organization to perform an independent audit of the cloud system and provide a security assessment package for review by the FedRAMP Joint Authorization Board. The JAB may then grant the CSP a provisional authorization, which can be used by federal agencies for review when granting a CSP authority to operate.
Lewin’s team within GSA’s Office of Citizen Services and Innovative Technologies is tasked with encouraging the adoption of cloud computing, an on-demand approach to acquiring and consuming computing services and resources, and addressing obstacles to that adoption. The team has focused on acquisition issues, developing the technical details for the blanket purchase agreement contracts GSA awarded to cloud providers of infrastructure-as-a-service solutions more than a year and a half ago, and e-mail as a service, which is still an active procurement.
FedRAMP is the most prominent, most complex and longest-tenured program the GSA team has worked on in conjunction with other agencies and industry, Lewin said.
Will the program be successful? “As far as FedRAMP is concerned, the proof is in the pudding,” she said. Lewin added that, at this time, she doesn’t foresee any obstacles blocking the goal of giving three cloud providers the authority to operate by year’s end. “We have the process, procedures and staff in place to realize the goal,” she said.
FedRAMP will accelerate cloud computing initiatives in the Commerce Department, making the security certification and authorization process more efficient, said Simon Szykman, Commerce's CIO.
FedRAMP is billed as a security initiative, but it is also an efficiency initiative,” Szykman said. For example, “we had two different bureaus at Commerce that were looking at the same cloud-based emergency notification system a couple of years ago." Essentially there were two different acquisition contracts for the same service, from the same contractor. Both bureaus were independently looking at certifying and accrediting the system. As officials in the bureaus started talking to each other, they realized how much replicated effort was going on the same infrastructure, Szykman said.
“The benefit of FedRAMP is to create efficiency and allow reuse of all efforts that go into authorizing systems,” Szykman said.
Agencies should be thinking about continuous monitoring and the role the Homeland Security Department will be playing in this effort, said Peter Tseronis, chief technology officer of the Energy Department.
As a part of the FedRAMP requirements, federal agencies must implement a continuous monitoring program for any cloud system they deploy. FedRAMP requirements for continuous monitoring work to coordinate ongoing security across cloud service providers and agencies in accordance with DHS policies and guidance. Agencies ultimately have responsibility for continuous monitoring and ongoing authorization of systems, GSA officials said.
“Continuous monitoring is something that interests me,” Tseronis said. How do you do that if you don’t know what your assets are? And if you do, what do you define as an asset? Tseronis asked. How do you do continuous monitoring in a public cloud, or is it better suited to a private cloud?
Continuous monitoring of a system is a moment-in-time process, not one where statistics can be checked later. It is a process that involves data at rest and data in motion, he said. Agencies should be thinking about these issues and “the role DHS is going to play in that effort,” Tseronis said.
The difficult task agency CIOs face is linking together all the legislation and mandates around IT reform and cloud computing, so they can build on it to transform IT, Tseronis said.