Cloud technology is supposed to greatly increase the efficiency and productivity of electronic information systems. For federal agencies, though, cloud migration has been a bit of a “catch-22” proposition. All the intense preparation work for migrating to the cloud — including efforts to resolve important data security issues — consumes scarce time and resources and has a potential for introducing a counterproductive element in adopting the cloud.
Last week, the White House — through the Office of Management and Budget (OMB) — took steps to make it easier and more efficient for federal agencies to address the significant issues of data security when agencies migrate to the cloud. This should greatly benefit private sector contractors in their efforts to market cloud products and services to federal agencies.
“As the government migrates to the cloud, we are committed to doing so in a way that is cost effective and ensures the safety, security and reliability of our data. Up until now, each agency has individually gone through multiple steps that take anywhere from six to 18 months and countless man hours to properly assess and authorize the security of a system before it grants authority to move forward on a transition to the cloud,” said Steven VanRoekel, federal chief information officer.
“Handling each of these transitions separately without a set of common standards and best practices not only costs us valuable staff time, it also poses a burden that can deter contractors from competing for our business and wastes millions of taxpayer dollars,” he said.
Program Required for Cloud Projects
VanRoekel notified agencies that OMB had approved the Federal Risk and Authorization Management Program (FedRAMP), a unified government-wide risk management initiative focused on providing security for cloud-based systems. The program offers a standard approach for conducting security assessments of cloud systems based on an accepted set of baseline controls and consistent processes that have been vetted and agreed upon by agencies across the federal government.
The use of a uniform security protocol should enable agencies to migrate to the cloud without each agency having to re-invent the wheel in terms of developing its own security standards and contracting requirements.
VanRoekel directed federal agencies to implement the program in various ways:
- Agencies musts use FedRAMP when conducting risk assessments, making security authorizations, and granting authorizations to operate (ATOs) for all executive department or agency use of cloud services.
- Agencies must ensure that contracts appropriately require cloud service providers (CSPs) to comply with FedRAMP security authorization requirements.
The directive covers all deployment models, such as public, community, private and hybrid clouds, as well as all service models, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).
Security Specifics in Process
The directive, however, does not spell out the actual security requirements for cloud migration. All federal agencies are required to meet provisions of the Federal Information Security Management Act (FISMA). To that degree, both agencies and vendors were at least temporarily left a little bit in the dark on the security protocols of the FedRAMP program. However, OMB directed the federal Chief Information Officers Council to issue a standardized baseline of security controls, privacy controls, and controls selected for continuous security monitoring, within the next month.
The baseline will utilize existing guidance from the National Institute of Standards and Technology (NIST), the federal agency charged with issuing standards designed to comply with FISMA. NIST developed the guidance through a process involving comment from industry.
The FedRAMP protocols cover two of FISMA’s three risk levels: “low” for a limited adverse impact; and “moderate” for a serious impact. The FISMA “high” level covers potentially “serious or catastrophic” impacts.
“The FedRAMP baseline cloud security controls are grounded in FISMA standards and are applicable to both cloud and non-cloud security controls and guidance. There are no ‘new’ controls for FedRAMP,” David McClure, associate administrator for the Office of Citizen Services and Innovative Technologies at the General Services Administration (GSA), told CRM Buyer.
“However, the FedRAMP baseline does use selected controls above the existing low or moderate impact NIST baseline that address specific characteristics of cloud computing, including multitenancy, shared resource pooling, lack of trust, visibility, and control of the service provider’s infrastructure,” he said.
“We are supportive of the concept of FedRAMP as a way to reduce the cost and effort of migrating to the cloud. It’s to everyone’s advantage for this program to work,” Jennifer Kerber, vice president for federal homeland security policy at TechAmerica, told CRM Buyer. “We will have to see what the security protocols actually say, and that they address necessary requirements but are not overly burdensome,” she added.
“Federal agency adoption of the cloud is inevitable. The only question is if it will be done in a secure or insecure fashion. The FedRAMP program could be the game-changer in this equation,” Kerber said.
“We’ll know more about the security requirements when they are released, but that’s not the central point. Agencies have been migrating to the cloud and observing security requirements even without the FedRAMP procedures,” David LeDuc, senior director of public policy at the Software & Information Industry Association, told CRM Buyer. “The big picture is that FedRAMP provides a much easier, more efficient, and less cumbersome way for the agencies to move to the cloud,” he said.
Vendor Contracting Components
The directive not only addresses security standards, but also includes several measures designed to facilitate the implementation of those standards in the acquisition and contracting process. For example, GSA will be required to develop templates that can satisfy FedRAMP security authorization requirements through standard contract language and service level agreements (SLAs) for use in the acquisition of cloud services.
Importantly, vendors of cloud services will be required to obtain approval of their offerings by a third- party assessment organization. These organizations will perform initial and periodic assessment of the products and services offered by cloud service providers regarding FedRAMP requirements. The third- party organizations will provide evidence of compliance, and play an ongoing role in ensuring that CSPs meet security standards. GSA is currently developing a roster of these third party organizations and will announce its selections by March 31, 2012.
GSA also will set up a Program Management Office to facilitate implementation of FedRAMP that will include a central repository of CSP security authorization packages that executive departments and agencies can use with their cloud migrations.
However, even with the establishment of baseline security standards in FedRAMP, vendors will still have to be on their toes in executing contracts with federal agencies, since requirements are bound to change over time. “We know the program will have to be tweaked because security threats change frequently,” said Kerber.
“Operationally, FedRAMP will evolve as a program to reflect the changing nature of cloud computing and incorporate lessons learned. As cloud computing, standards and capabilities evolve, so will FedRAMP,” said McClure. A joint authorization board (JAB) will be established to define and update FedRAMP security standards.
The complete rollout of the FedRAMP effort will occur over the next six months, with various components reaching implementation over that time frame.
“We recognize that this is an ongoing, evolving effort. Reforming the federal bureaucracy’s ability to procure cutting-edge technology isn’t exactly simple, so we appreciate the efforts to accomplish that,” said LeDuc.