Cloud
News
11/3/2010
01:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Feds Roll Out Cloud Security Guidelines

The voluntary FedRAMP program for private and public cloud services, expected to begin in the first quarter of 2011, would standardize security accreditation and certification.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters

The federal government Tuesday afternoon released draft plans for a program to ensure cloud services meet federal cybersecurity guidelines, which should help shore up lingering government concerns about cloud security and accelerate adoption of the technology.

The government expects the program, the Federal Risk and Authorization Management Program (FedRAMP), to be operational by the first quarter of 2011. Through the voluntary program, developed with cross-government and industry support over the last 18 months, cloud services would go through a standardized security accreditation and certification process, and any authorization could then be leveraged by other agencies. "By simplifying how agencies procure cloud computing solutions, we are paving the way for more cost-effective and energy-efficient service delivery for the public, while reducing the federal government's data center footprint." federal CIO Vivek Kundra said in a statement.

The Obama administration has been pushing federal agencies to adopt cloud computing to help save the government money, with Kundra and other top officials championing the technology and instituting policies, such as data center consolidation requirements, that could help spark a shift to the cloud. However, federal IT managers have consistently raised security concerns as the biggest perceived barrier to adoption.

The debate over cloud security recently reached a boil in some government quarters. Google sued the Department of Interior last month for favoring Microsoft's cloud email service in a proposed acquisition. In the suit, Google claims that the agency's CTO told it that its product wasn't compliant with agency security requirements, but the agency then declined to provide those security requirements.

In addition to inconsistent requirements and fears about who controls the underlying data, the government's security concerns arise in part because cloud computing is a new paradigm that must be shoehorned into the security requirements of regulations like the Federal Information Management Security Act, which governs federal cybersecurity for most of government. FedRAMP achieves that by mapping out the baseline required security controls for cloud systems, and thus creating a consistent set of security guidelines for cloud computing.

FedRAMP also aims to eliminate a duplicative, costly process to certify and accredit applications. In the past, each agency would typically take apps and services through their own accreditation process. However, in the shared-infrastructure environment of the cloud, such a process is redundant, and FedRAMP allows services to be accredited once and have that accreditation leveraged by all government agencies.

The FedRAMP draft includes three major pieces: a set of cloud computing security baseline requirements; a process to continuously monitor cloud security; and a description of proposed operational approaches to authorizing and assessing cloud-based systems.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.