01:45 PM
Connect Directly
Repost This

Feds Roll Out Cloud Security Guidelines

The voluntary FedRAMP program for private and public cloud services, expected to begin in the first quarter of 2011, would standardize security accreditation and certification.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters

The federal government Tuesday afternoon released draft plans for a program to ensure cloud services meet federal cybersecurity guidelines, which should help shore up lingering government concerns about cloud security and accelerate adoption of the technology.

The government expects the program, the Federal Risk and Authorization Management Program (FedRAMP), to be operational by the first quarter of 2011. Through the voluntary program, developed with cross-government and industry support over the last 18 months, cloud services would go through a standardized security accreditation and certification process, and any authorization could then be leveraged by other agencies. "By simplifying how agencies procure cloud computing solutions, we are paving the way for more cost-effective and energy-efficient service delivery for the public, while reducing the federal government's data center footprint." federal CIO Vivek Kundra said in a statement.

The Obama administration has been pushing federal agencies to adopt cloud computing to help save the government money, with Kundra and other top officials championing the technology and instituting policies, such as data center consolidation requirements, that could help spark a shift to the cloud. However, federal IT managers have consistently raised security concerns as the biggest perceived barrier to adoption.

The debate over cloud security recently reached a boil in some government quarters. Google sued the Department of Interior last month for favoring Microsoft's cloud email service in a proposed acquisition. In the suit, Google claims that the agency's CTO told it that its product wasn't compliant with agency security requirements, but the agency then declined to provide those security requirements.

In addition to inconsistent requirements and fears about who controls the underlying data, the government's security concerns arise in part because cloud computing is a new paradigm that must be shoehorned into the security requirements of regulations like the Federal Information Management Security Act, which governs federal cybersecurity for most of government. FedRAMP achieves that by mapping out the baseline required security controls for cloud systems, and thus creating a consistent set of security guidelines for cloud computing.

FedRAMP also aims to eliminate a duplicative, costly process to certify and accredit applications. In the past, each agency would typically take apps and services through their own accreditation process. However, in the shared-infrastructure environment of the cloud, such a process is redundant, and FedRAMP allows services to be accredited once and have that accreditation leveraged by all government agencies.

The FedRAMP draft includes three major pieces: a set of cloud computing security baseline requirements; a process to continuously monitor cloud security; and a description of proposed operational approaches to authorizing and assessing cloud-based systems.

1 of 2
Comment  | 
Print  | 
More Insights
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.