Is FedRAMP working? It better.
- By Rutrell Yasin
- Nov 08, 2013
Is FedRAMP, the government's standardized approach to cloud security, working?
All cloud services and products in use by the federal government and in active acquisition must be FedRAMP-compliant by June 2014. As vendors work their way through the assessment process with the deadline a mere seven months away, the question of whether or not the program is working is being raised by some observers in government and industry.
“Is it working? It is going to have to work,” said Sarah Mosley, network and infrastructure security branch chief of the Homeland Security Department’s Office of Cyber Security and Communications. FedRAMP is currently the only standardization program to address the federal government’s cloud security accreditation and authorization requirements, Mosely said Nov. 6 during a panel on consuming cloud computing at FedScoop’s Red Hat Government Symposium in Washington, D.C.
The program will continue to mature, she said, noting that large companies such as Amazon Web Services and Microsoft, both which have received the FedRAMP stamp-of-approval, recognize that this is the way the government is going to pursue security accreditation for cloud services and products.
IBM can now be added to that list. IBM's SmartCloud for Government platform is the most recent cloud environment to receive a provisional authority to operate from the FedRAMP Joint Authorization Board, making the company a more attractive cloud services provider for potential federal customers, according to FCW.
With the addition of IBM, nine companies and one government agency – the Agriculture Department’s National Information Technology Center – have gone through the rigorous accreditation process and been granted either a provisional or an agency authority to operate under FedRAMP.
The real measure of FedRAMP success is not how many vendors get through the assessment program, but how many agencies are really using the packages once the cloud service providers are accredited, said David Blankenhorn, chief cloud strategist for DLT Solutions and also a member of the Red Hat cloud panel.
Blankenhorn said that FedRAMP is working on a high level. Most of the core cloud service providers are new to the federal public sector, so they must learn to speak a completely different language, he said, which accounts for why there are not more cloud providers receiving the FedRAMP authority to operate. Commercial providers must adhere to more than 290 security controls, document their security processes and then go through an audit, which is a massive undertaking, Blankenhorn noted.
Rutrell Yasin is is a freelance technology writer for GCN.