GSA Details Federal Cloud Security Program - InformationWeek
12:06 PM
Connect Directly
Moving UEBA Beyond the Ground Floor
Sep 20, 2017
This webinar will provide the details you need about UEBA so you can make the decisions on how bes ...Read More>>

GSA Details Federal Cloud Security Program

The General Services Administration on Tuesday released extensive new details on FedRAMP, a program the Obama administration hopes will accelerate the adoption of cloud computing and cut security costs.

Top 20 Government Cloud Service Providers
(click image for larger view)
Slideshow: Top 20 Government Cloud Service Providers
The General Services Administration on Tuesday released extensive new details on FedRAMP, the federal government's new standardized approach to vetting the security of cloud computing services, taking an important step toward launching the program.

The GSA-led FedRAMP is a soon-to-be-mandatory government-wide program that standardizes the government's approach to authorizing cloud services for use by federal agencies and monitoring those services to ensure that they continue to meet federal cybersecurity requirements.

Once a service goes through the initial FedRAMP authorization process, it gets a stamp of approval that any agency can use to sign off on the service's ability to meet federal security requirements. This is much more efficient and standardized than the historic approach to security authorization, which required each agency to do its own authorization. Federal CIO Steven VanRoekel has estimated that FedRAMP could save federal agencies between 30% and 40% on their security assessments and cloud procurement processes.

[ Why aren't federal IT pros sold on cloud computing? See Cloud Security, Costs Concern Federal IT Pros. ]

According to the 47-page concept of operations document, popular collaboration and infrastructure-as-a-service tools will be the first applications to run through the FedRAMP authorization process. At an event hosted by tech industry group TechAmerica on Wednesday, GSA officials said that they will prioritize services where there are already existing contracts.

The FedRAMP authorization process will include: -- a joint authorization board, consisting of the Department of Defense, Department of Homeland Security, and GSA, which will do initial security assessments and define and update baseline security controls; -- third-party assessment organizations, which will carry out outsourced assessments; -- and an incident-response coordinator in DHS, which will continuously monitor security compliance and responses to security incidents. A program management office at GSA will oversee the whole process.

GSA said Wednesday that the first set of third-party accreditors will be announced by April. Although the joint authorization board or third-party accreditors will be in charge of initial assessments themselves, each agency still will have to sign off on their own to grant the final security green light to each cloud service they decide to use.

FedRAMP's security standards were published in January. During the rest of this fiscal year, according to the document, the FedRAMP team will formally launch FedRAMP into operation, draw up an initial list of third-party assessors, and finalize an initial set of authorizations. The program will continue to ramp up into next fiscal year.

Although federal officials have described FedRAMP as a mandatory process, GSA officials said Wednesday that there are no plans to write FedRAMP requirements into official federal acquisition regulations. Instead, GSA is working on developing standard contractual language that agencies can use to make FedRAMP compliance a contractual requirement, and could issue stand-alone policy mandating agency use of FedRAMP.

How 10 federal agencies are tapping the power of cloud computing--without compromising security. Also in the new, all-digital InformationWeek Government supplement: To judge the success of the OMB's IT reform efforts, we need concrete numbers on cost savings and returns. Download our Cloud In Action issue of InformationWeek Government now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll