HP, Lockheed join FedRAMP elites
- By Rutrell Yasin
- Jun 07, 2013
Hewlett-Packard and Lockheed Martin have been granted provisional approval to offer cloud services under the federal government’s FedRAMP cloud security program, bringing to four the number of cloud providers achieving the highest security level under the program.
FedRAMP, the Federal Risk Authorization Management Program, provides a standard approach for security assessment, authorization and continuous monitoring of cloud products and services. FedRAMP uses a “do once, use many times” framework that is expected to reduce the cost, time and staff required to conduct redundant agency security assessments of cloud solutions.
HP and Lockheed Martin received the FedRAMP Joint Authorization Board’s provisional authorization — the most rigorous approval — which involves a thorough review by chief information officers of the General Services Administration and Homeland Security and Defense department, according to a GSA release.
In February, CGI Federal, a U.S. subsidiary of the CGI Group Inc., became the second company to earn provisional authority and, the first large provider. In January, Cary, N.C.-based Autonomic Resources, a certified 8a small business, won provisional authorization to market its infrastructure-as-a-service (IaaS) offerings to federal agencies.
Both HP and Lockheed Martin provide IaaS offerings. HP Enterprise Cloud Services - Virtual Private Cloud (ECS-VPC) and Lockheed Martin’s Solution-as-a-Service (SolaS) Secure Community Cloud received the FedRAMP stamp of approval.
To receive this provisional authorization, HP and Lockheed Martin documented and fully implemented the FedRAMP security controls on their cloud services offerings. In addition, both companies used one of 20 independent FedRAMP-accredited Third Party Assessment Organizations (3PAO) to assess and verify their security implementations.
Lockheed Martin’s SolaS Community Cloud -- which consists of a community, private and hybrid cloud – was audited by Coalfire Federal, an accredited 3PAO, said Mel Greer, senior fellow and chief strategist for SOA and Cloud Computing with Lockheed Martin.
As a cybersecurity company, Lockheed Martin not only meets the FedRAMP requirements but has also layered in specific security controls developed by the company, Greer said. “From its inception Lockheed Martin has been helping to shape, understand and apply the basic cloud security baselines from FedRAMP. We have augmented that with our specific cybersecurity expertise and applied it to the cloud.”
The two new Joint Authorization Board provisional authorizations demonstrates the viability of the FedRAMP program, according to Dave McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies. The four JAB authorizations and two agency authorizations illustrate the different ways to utilize FedRAMP for an agency’s specific security needs, McClure said.
Last month, Amazon Web Services’ GovCloud and US East/West offerings each received an agency Authority to Operate (ATO) using FedRAMP requirements.
The Health and Human Services Department granted Amazon cloud services the ATO after documenting compliance with FedRAMP security controls in several HHS projects. Those included Biosense 2.0, a program to make data related to bio-terrorism accessible to law enforcement nationwide via the cloud. Meeting FedRAMP’s "moderate impact" cloud security requirements for HHS will smooth the way for other agencies to evaluate and adopt AWS services for their projects, AWS officials said.
Additionally, three new companies have joined the 3PAO ranks over the last month — KPMG and small businesses Burke Consortium and Dakota Consulting — bringin the total number of small business 3PAOs to 11 out of 20, GSA officials said.
Still, FedRAMP is proving to be a more rigorous process than some cloud providers anticipated.
As of February, of the more than 80 cloud providers who have applied to go through the FedRAMP certification, more than half were not yet ready to go through the process, Kathy Conrad, principal deputy associate administrator with the General Services Administration’s Office of Citizen Services and Innovative Technologies, said at the time.
FedRAMP is based upon trust. “The essence of that trust,” Conrad said, “is the rigor and the integrity of its security assessment that then can be leveraged across government.” The government intentionally designed FedRAMP certification to be rigorous and does not plan to make it easier, she said during a panel Feb. 12 at the Cloud/Gov conference held by the Software and Information Industry Association in Washington, D.C.
Rutrell Yasin is is a freelance technology writer for GCN.