FedRAMP approval is fine, but it's just the beginning
- By Brian Robinson
- Aug 22, 2013
Agencies are increasingly making plans to move to the cloud under the Obama Administration’s ”cloud first” mandate issued in 2010, under which agencies are to default to cloud-based solutions for IT needs “whenever a secure, reliable, cost-effective cloud option exists.” The Federal Risk and Authorization Management Program (FedRAMP), also mandatory for agencies using cloud, is intended as the main tool to enable that.
What’s already clear, however, is that FedRAMP, which provides standardized security controls for cloud services, will only be the start of the migration process. For anything beyond relatively simple needs, agencies will still have to conduct extensive risk assessments of the applications and services they want to go to the cloud for, and whether FedRAMP-accredited cloud service providers can ensure the security that’s needed for them.
For most of the common uses such as cloud-based email and backup storage, the security controls that FedRAMP guarantees will be enough to cover what most agencies need, said John Pescatore, director of emerging security trends at the SANS Institute, and a former vice president at Gartner Inc.
“It’s when you get to more complex needs such as infrastructure as a service (IaaS), where you are using the cloud for such things as end-user storage and running custom software, that’s where it’s going to be a lot tougher for this one-size-fits-all approach to work,” he said.
FedRAMP is the result of input from a wide range of government agencies, companies and industry bodies, and currently encompasses security necessary for compliance with Federal Information Security Management Act (FISMA) low and moderate requirements. The security controls included are based on the National Institute of Science and Technology’s Special Publication 800-53, with added controls for cloud computing. Revision 4 of those standards, which FedRAMP will be updated to include, was published in April.
There are currently 116 controls included in the FISMA low version of FedRAMP, and 298 in the FISMA moderate version.
To be able to compete for agency cloud services in the future, service providers have to undergo a rigorous certification process and have their security procedures verified by a third-party assessment organization. If risks are found, the provider has to fix them and then have their procedures assessed again. The whole FedRAMP process is overseen by a Joint Authorization Board made up of CIOs from the Defense and Homeland Security departments and the General Services Administration.
Even as a baseline, FedRAMP will bring immediate benefits to agencies, said Maria Roat, the director of the FedRAMP program at GSA. It provides a standard approach for the implementation of both FISMA low and moderate security controls across the entire government.
“If you look at what agencies have been doing with FISMA up to now, it’s really been a mixed bag,” she said. “It’s depended on who the authorizing official is, who the business owners [of the systems and data] are and so on, and it’s really been all over the board as to how stringently agencies have applied the FISMA requirements.”
As to specific needs for cloud, Roat admitted that there’s still a fair amount of education going on about what the best use of cloud is, and what the FedRAMP requirements are when they do use the cloud.
“But we are starting to see questions coming in that indicate people are already starting to look to the cloud for things outside of such things as email and basic Web services,” she said. “They are looking at it for applications that will help them better serve their customers, and asking about what the appropriate security is for those.”
And that’s where complications start to muddy the picture. Each agency will have its own needs as far as data is concerned. Information assurance managers in the Defense Department, for example, will have different requirements than those in civilian agencies. Also, FISMA may be all that’s needed to secure data that’s sitting in a controlled environment, but it doesn’t address data that’s in motion between environments.
Those kinds of considerations are not covered by FedRAMP, said Dan Kent, chief technology officer and director of solutions for Cisco’s federal sector. They must be covered in the service-level agreements (SLAs) the agency strikes with the cloud providers.
“Agencies really have to go at this application by application,” he said. “A video application for office training would need to be treated differently from one for other types of training such as aircraft repair and maintenance. It requires agencies to make a careful assessment of each application, and what the risks are for the kind of data that’s involved and how that data gets to the application.”Complications also can arise within something that, on the face of it, is covered by the FISMA requirements in FedRAMP but that also contains elements that are not. A public-facing website, for example, would handle mostly unclassified data but may also include transactions such as fee payments that would involve more sensitive credit card or personally identifiable data.
Anything that requires classified information raises the concerns another notch.
“Organizations that process classified information would not be in alignment with either FISMA low or moderate, and are not likely to put their data into an environment that solely considers FedRAMP,” said John Lambeth, CIO of Qinetiq NA. “Indeed, some of the key cloud providers that would go after FedRAMP business would not be in a position to process that kind of information. Again, that’s why agencies have to consider the nature of the data” they are taking to the cloud.
There is an urgency to getting agencies up to speed on what FedRAMP means for them and the cloud, Roat said. While some organizations are well versed in both FedRAMP and FISMA, and have retained the accreditation services they will need to launch their services in the cloud, she said, others are not that far ahead.
And yet budget constraints are pushing them ever faster to the cloud.
“The problem is that the technology of cloud is not new. It’s really a culture change at agencies that’s needed about what needs to move to the cloud, how it will impact resources and so on,” she said. “When they can wrap their heads around that, the reason for FedRAMP will become more apparent to them.”
The FedRAMP program office has made it clear that FedRAMP will be a living entity, said Mel Greer, a senior fellow at Lockheed Martin, one of the few companies to so far receive a FedRAMP provider accreditation, so the program will continue to mature and include more of the agency and industry concerns. FedRAMP is likely, for example, to soon include more requirements based on platform as a service and software as a service to augment that work that’s already been done for IaaS.
But Greer feels it’s already had an important impact, by being a driver for discussion around trust. To the extent that FedRAMP gives agencies an ability to trust cloud providers more, that will reduce their reluctance to embrace the cloud and drive wider adoption of the cloud in government.
“That contribution shouldn’t be dismissed,” he said. “It’s a very difficult thing to do, to create such a broad trust model.”