Some cloud providers struggle to meet requirements such as multi-factor authentication, FIPS 140-2 compliance and providing a complete boundary definition, GSA's Kathy Conrad says.
Being granted approval to offer cloud services under the federal government’s FedRAMP cloud security program appears to be a more rigorous process than some cloud providers anticipated.
Of the more than 80 cloud providers who have applied to go through the FedRAMP certification, more than half are not yet ready to go through the process, according to Kathy Conrad, principal deputy associate administrator with the General Services Administration’s Office of Citizen Services and Innovative Technologies.
FedRAMP, the Federal Risk Authorization Management Program, is based upon trust. “The essence of that trust,” Conrad said, “is the rigor and the integrity of its security assessment that then can be leveraged across government.” The government intentionally designed FedRAMP certification to be rigorous and does not plan to make it easier, she said.
FedRAMP “is not a process for those who are looking for a quick and easy security assessment,” Conrad said. Instead, the average security assessment for systems that are not cloud-based takes about six months, and it is no quicker for FedRAMP and cloud systems, she said.
Conrad spoke to an audience of government and industry representatives Feb. 12 at the Cloud/Gov conference held by the Software and Information Industry Association in Washington, D.C.
To date, two cloud service providers have received provisional approval to offer cloud services: Autonomic Resources LLC, a certified 8a small business, and CGI Federal, a U.S. subsidiary of the CGI Group Inc., currently the only large provider.
FedRAMP provides a standard approach for security assessment, authorization and continuous monitoring of cloud products and services. FedRAMP uses a “do once, use many times” framework that is expected to reduce the cost, time and staff required to do security assessments of cloud solutions.
The security assessment process uses a standardized set of requirements in accordance with the Federal Information Security Management Act, using a baseline set of National Institute of Standards and Technology 800-53 controls to grant security authorizations.
NIST just released the final draft of its updated catalog of IT security controls, expanded to address new threats and with the flexibility to let agencies tailor controls to their needs. NIST expects to publish the finished product in April.
Conrad said the GSA is trying to work closely with cloud providers to help prepare them for the FedRAMP process. Before the FedRAMP Joint Authorization Board (JAB) can review a security plan, it has to be complete. The FedRAMP templates used to document a security plan are a bit different from what some cloud providers have used in the past, she noted. Additionally, there are a number of controls that are a little tougher for some cloud providers to meet than they might have anticipated, such as multi-factor authentication and compliance with Federal Information Processing Standard 140-2.
If a provider does not have a good system security plan, none of the other documentation matters, said Tom McAndrew, executive vice president of professional services and FedRAMP technical manager for Coalfire, and a participant on the panel with Conrad. Coalfire is a FedRAMP-approved third-party assessor that validates and verifies that cloud providers meet the FedRAMP requirements. The challenge is not so much complying with security controls, but interpreting those controls, McAndrew said.
“No cloud service provider wants a long, arduous process,” said Melvin Greer, chief strategist for cloud computing for Lockheed Martin, whose cloud offerings are going through the FedRAMP process. “We don’t want to be in the dentist chair for a long time.”
But there is a tremendous benefit going through the rigorous process, Greer said. Government agencies will then have a certain level of trust that the cloud service is going to meet agency requirements in a secure fashion, he said.
“We recognize that, while this is a rigorous process,” the cloud provider should really only have to do it once, Conrad said. If the security assessment is done well, then the expectation is that the provisional authority to operate in compliance with FedRAMP granted by the JAB or an agency, can be leveraged many times across government.
“This is a long-term investment that will avoid duplication and reinvestment many times over,” Conrad said.