7 ways government is working to improve FedRAMP

GSA's McClure tackles myths about program, lists areas tiger teams are working on

• By Rutrell Yasin
• Mar 23, 2011

  Five new tiger teams of representatives from across government are working to improve the Federal Risk Authorization and Management Program (FedRAMP) based on feedback submitted during the public comment process, the General Services Administration’s David McClure told attendees today at a symposium on high-performance cloud computing in Washington, D.C.

McClure provided a short list of concerns that GSA and government partners are working on to improve FedRAMP and sought to dispel myths about the security accreditation and authorization program designed to vet cloud providers and services.

There are still some misunderstandings surrounding FedRAMP, said McClure, associate administrator with GSA’s Office of Citizen Services and Innovative Technologies.

A big myth is that with FedRAMP the government is “blowing up [the Federal Information Security Management Act] and completely redesigning the security approach to the federal government,” McClure said during the symposium sponsored by AFCEA's Bethesda chapter at the Willard InterContinental Hotel.

Instead, FedRAMP’s “focus is to improve the security accreditation process by using an approach that can be vetted and reused across the government,” McClure said. The goal is to implement it once, use it many times and bring some consistency to how this is being done. Hopefully, this also will lower the cost for the security process, he said.

---

Related Coverage:

GSA fast tracks requirements for FedRAMP

---

GSA released a draft version of FedRAMP security controls in October 2010 with the intention of issuing the first version by the end of December. However, after reviewing public comments, federal CIO Vivek Kundra, GSA and other officials decided to step back and make sure that critical issues were properly addressed. In fact, GSA extended public comments to January 2011.

“We could have issued FedRAMP Version 1," McClure said. "It would have been OK but would not have resolved critical issues in the security process."

FedRAMP is now slated for release by the end of the summer.

Cloud computing, an on-demand model that allows access to shared computing resources, does introduce some unique security requirements. So the government is looking at FISMA and the National Institute of Standards and Technology security series 800 guidelines to determine what applies in the cloud and the different cloud delivery models, which include infrastructure as a service, software as a service and platform as a service.

“So we have assembled five new tiger teams comprised of representatives from all around government” to address industry and others concerns about FedRAMP, McClure said, noting another myth-buster: that FedRAMP is not a GSA process. It is governmentwide and community-driven, he said. Agencies contributing to the process include the Defense and Homeland Security departments, the Federal CIO Council, NIST, the National Security Agency and, at times, the intelligence community. Industry has regularly been brought in as well.

Thousands of comments were submitted, but here is a short list of areas the government is working on to improve FedRAMP:

1. Too many controls and controls for different risk levels.

The government is working to reduce the number of security controls that will be tested. GSA and others cannot eliminate all controls because many are stringent and necessary to secure government computers. However, the government is trying to differentiate between controls at the low-, medium- and high-risk levels – all of the objectives of FISMA but right now these are blurred. Right now, the focus is on all security on or all security off. That has to change, McClure said.

2. More guidance on third-party assessors’ independence.

Who assesses the cloud provider? Some service providers pick the organizations that assess them and then provide reports to the government. This is equivalent to someone picking his or her own home improvement inspector whentrying to sell a house, McClure said. There are options such as having government entities do the assessment. The government is exploring a NIST suggestion to come up with a model similar to consumer product testing or the standards health area where there is an accreditation board. This world-class board would have the independence to approve a set of accredited assessors, McClure said.

3. Continuous monitoring raises data concerns.

FedRAMP is moving toward a continuous monitoring approach, which focuses on the availability of real-time data about a system’s security posture. For a cloud provider the question is, “Do you want to give up that data for continuous monitoring?” McClure said. Often that data contains very sensitive information.

4. What is the role of the Joint Authorization Board?

The Joint Authorization Board consists of the Defense and Homeland Security departments, GSA and a sponsoring agency looking for accreditation for the cloud provider coming together to certify an Authorization to Operate. How does that work? Does the JAB have or want the authority governmentwide? Does it have the ability legally to grant authority for another agency? “We are working that out [now] and there are ways to solve” these issues, McClure said.

5. What will be the role of government security operation centers?

A big question is about where the monitoring data goes on a regular basis. “Do we create a new bureaucracy, a security operating center in one place where everything is fed into?” McClure asked, or should the government use existing security operation centers? This is another area that the government is working on, he said, adding that the government is not trying to create bureaucracy or another chokepoint for everything being used.

6. How does the government ensure that FedRAMP is complaint with the Trusted Internet Connection?

TIC is an Office of Management and Budget initiative to reduce the number external communication and Internet points of connections within agencies. This is another sensitive issue, McClure said.

7. What are the different security controls for the different cloud delivery models – IaaS, PaaS and SaaS?

“Aren’t there differences in these cloud services that warrant different types of controls and assessment?"
McClure said. These are things that have been worked out better in the second round.

"These are just minor things, right?" McClure joked.

The bottom line: FedRAMP is trying to produce a security baseline in a transparent fashion, McClure said. “If we do not have transparency and trust in this environment, it will not work."