Government // Cloud computing
Commentary
5/28/2014
10:30 AM
Brian Burns
Brian Burns
Commentary
Connect Directly
RSS
E-Mail
100%
0%

FedRAMP Cloud Standards Deadline: What Comes After

The June 5 deadline for federal agencies to certify operations to the cloud is just the beginning. Agencies must still stay on top of daily cloud security.

Back in 2011, when the Office of Management and Budget set June 5, 2014, as the deadline for agencies and cloud service providers to meet a new set of cloud security standards called FedRAMP, government agencies had only just begun creating plans to migrate to these cloud platforms. 

At the time, FedRAMP -- the Federal Risk and Authorization Management Program -- was still evolving, but it at least prompted agencies to start thinking about cloud security and keep it in the forefront of their tech decision-making. But thinking and planning are far different from actually executing -- and that is where we are now with June 5 approaching. That's raising lots of questions, including who will be ready? Is there enough time to get ready? What does FedRAMP-compliance actually mean? Why does it matter? The short answer: It depends. Here's why.

[Officials release details on firms seeking government's cloud security seal of approval. Read FedRAMP Cloud Security Approval: Look Who Applied.]

Because no two cloud service providers (CSPs) offer the exact same product or service -- and given the risk of standing up an application within a non-FedRAMP cloud -- government agencies have turned to systems integrators for help. They can identify the CSPs best qualified to meet their needs for migration -- and for managing daily service operations, which is an extremely important part of the successful deployment. 

FedRAMP compliance primarily guarantees that the CSP's infrastructure, from the physical data center through and including the hypervisor, is secure and meets a specific set of standards. Think of this as the securing of the cloud. What's not included in these standards is securing within the cloud.

What securing within the cloud means is designing, deploying, and managing the specific security controls crafted around the agency's applications. This can include patching operating systems, setting up the firewalls, intrusion protection and detection, anti-virus and anti-malware software, and connecting external agency networks such as NIPRNet and SIPRnet, as well as the remediation of potential security threats within the cloud, actual breaches, or both. 

(Image: Dennis Hill via Flickr)
(Image: Dennis Hill via Flickr)

The responsibility for these types of operating issues typically belongs to the agency, or the systems integrator managing the application for the agency. That responsibility is sometimes referred to as the missing link in the cloud. Moving an application to a FedRAMP-compliant cloud does not alleviate the ongoing daily management responsibilities. If anything, moving to a cloud-based solution means accepting more responsibility for the security of the applications.

When June 5 rolls around, if any agency's CSP is not FedRAMP-certified, that agency is taking a big risk. An agency's IT leaders can opt to obtain a waiver, if they have reason to take that step. But there is a real possibility the agency might be denied the waiver, meaning it would not receive authority to operate an application in the cloud service. 

According to GSA's FedRAMP website, as of May 16, 2014, there were 11 FedRAMP-certified cloud services available for government agencies to select from. There are more than 20 additional CSPs close to being granted authority to operate, and even more CSPs in the queue waiting to go through the certification process. That's remarkable when one considers these CSPs made the investment to deploy cloud services capable of meeting FedRAMP's rigorous controls in a span of just two years.

How well agencies meet the spirit, if not the intent, of the deadline remains an open question. Given where agencies stood when FedRAMP was first conceived, there's little question agencies are better prepared to move to the cloud today than they might have been without FedRAMP.

The larger question to ask, though, is will FedRAMP be the bridge to help rebuild citizen confidence in government computing and technology deployments? The answer to that still lies in the clouds.

NIST's cyber security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.

Brian Burns is the Director of Cloud Services for Agile-Defense Inc., a leading provider of cloud migration and day-to-day management services and IT for the Department of Defense and other public sector agencies. He has more than 17 years of technology and cloud ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
batye
50%
50%
batye,
User Rank: Ninja
6/2/2014 | 2:36:08 AM
interesting info
interesting info... as with security it never ending process... but I think it a step towards right direction... but I would like to hear what other members have to say... Anyone???
Gov Cloud: Executive Initiatives, Enterprise Experience
Gov Cloud: Executive Initiatives, Enterprise Experience
In this report, we'll examine the use of cloud services by government IT, including the requirements, executive initiatives and service qualifications, and auditing and procurement programs that make government cloud adoption unlike that in the private sector.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.