The long wait for a key Federal cloud computing program is over with the launch today of FedRAMP. FedRAMP will help Federal Agency managers to adopt cost-saving and service improving cloud computing solutions.
For over two years the Federal government’s “cloud first” policy has floundered. Government executives and managers moved cautiously on adoption concerned about possible insecurity of the platform and the costs for FISMA authorization of complex cloud computing solutions.
Cloud Service Providers (CSP) have likewise been concerned with how different agencies had conflicting requirements and interpreted security control requirements differently. With multi-tenant solutions CSPs were beset by each tenant Agency wanting their own authorization, making business with the government a frustrating affair.
While there have been notable wins for cloud vendors over the past year many Federal systems that would benefit from a move to the cloud had the moves delayed until better policy and guidance was available to address those concerns.
FedRAMP Arrives
FedRAMP supplies the policy and guidance starting with the release by Federal CIO Steven VanRoekel of the FedRAMP memo, Security Authorization of Information Systems in Cloud Computing Environments [PDF]. As FedRAMP develops additional documentation it will be posted at the GSA hosted FedRAMP.gov site.
To make FedRAMP a reality a variety of organizations including GSA, NIST, CIO Council and OMB have worked to find ways to meet the many Federal security requirements for IT systems, manage the risk to government systems and make cloud computing adoption a straightforward process for everyone. Crowd-sourcing has played a huge role in development and many public and private organizations and individuals contributed throughout the process.
The FedRAMP program is a centralized method to assess and authorize (A&A) cloud computing systems under a streamlined FISMA process. By centralizing the process some key objectives can be met.
A CSP only has to go through authorization once. Subsequent customers can then leverage or re-use that authorization. If an agency has specific requirements then only the delta between the baseline FedRAMP and the agency controls needs to be addressed.
Cloud computing A&As are handled by FedRAMP components and third-party assessor organizations (3PAO) who can develop specialized skill sets for cloud computing. This will encourage development of cloud focused security staff and rapid maturation of processes focused on understanding the risks involved with cloud computing.
Compliance is only a component of good security. FedRAMP represents a minimal set of required security controls, a limited subset of the controls most systems would be required to have in place and operating effectively under normal FISMA authorization processes. FedRAMP should be seen as a starting point, a demonstration of due diligence on behalf of the CSP. Like any authorization in the Federal government, departments and agencies should use this process to determine whether the security is commensurate with the risk and magnitude of harm resulting from the cloud system being compromised or made unavailable.
How Does It Work?
The final FedRAMP concept of operations (CONOPS) and governance model have yet to be released but the basic process will involve six components: Joint Authorization Board (JAB), Program …
Continued on page 2 for some gotchas, if FedRAMP applies, and it’s current maturity…