FedRAMP Deadline Looms For Agencies, Cloud Providers
Federal agencies have until June 5 to certify their cloud systems. Here's what will happen if they miss the deadline.
Most Wasteful Government IT Projects Of 2013
(click image for larger view and for slideshow)
As we reported last week in an in-depth analysis, cloud service providers are queuing up for a rigorous government review process that certifies their service meets a strict baseline of security standards. This certification, known as the Federal Risk and Authorization Management Program, or FedRAMP, is mandatory for any cloud service provider looking to do business with federal agencies.
But the stakes are equally high for the federal agencies. The Office of Management and Budget, which mandated in 2011 that agencies begin using cloud services, has given them until June 5 to show that those services meet federal security standards.
A big question now is what happens if cloud service providers don't get the security certification by the June deadline? And where does that leave agencies trying to migrate slices of their IT operations to the cloud if their preferred provider's services have not yet been approved?
The short answer: "Call us," says Maria Roat, the General Services Administration director who oversees the FedRAMP certification program. If agencies already are working with certain cloud providers, officials expect there will be some flexibility on the deadline.
Whether agencies will find themselves in the hot seat for failing to meet the June deadline, however, is OMB's call, not FedRAMP's, say officials familiar with the situation. OMB didn't immediately respond to requests for comment.
"Agencies may have legitimate reasons, but these requirements have been around for more than two years," says Tom McAndrew, executive VP of Coalfire Federal, which helps cloud service providers get FedRAMP-certified. The details of those requirements were spelled out in a seven-page OMB memo issued by US CIO Steven VanRoekel on Dec. 8, 2011.
US CIO Steven VanRoekel
Since then, OMB has been polling agencies every quarter through its PortfolioStat IT investment review program and other reports to determine if they are:
meeting the administration's "Cloud First" policy, that requires agencies to use cloud alternatives when available;
meeting FedRAMP requirements, demonstrating that a cloud service complies with the government's minimum security standards; or
able to justify why they're not meeting federal policies.
"If agencies don't have a robust plan to address cloud and security by now, then there will likely be increased pressure on the agency managers, directors, and CIOs" about their IT investment decisions, says McAndrew. OMB, which controls agency budgets, views FedRAMP's "certify once, use often" approach as an essential tool for reducing redundant costs for security and compliance.
Time is running out, however, to meet the June deadline.
It typically takes cloud service providers six months to complete the FedRAMP certification process. The agency and cloud provider must first demonstrate that the service meets up to 298 specific security controls. There are no shortcuts, but once a service has been certified, other agencies can adopt it quickly.
Federal CIO Steven VanRoekel tweets about FedRAMP's impact on the cloud computing industry, initially reported by InformationWeek Government and featured on the ABC7 news show "Government Matters."
Although the FedRAMP process is rigorous and expensive, its comprehensive baseline approach has caught the attention of cloud customers in the private sector.
That comes as good news for VanRoekel, who not only sees cloud computing producing significant IT savings across federal agencies, but also setting a more widely accepted security baseline for the cloud computing industry. As more cloud providers align with FedRAMP security standards, they'll produce more cost-saving cloud services for agencies to choose from.
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.
Wyatt Kash is a former Editor of InformationWeek Government, and currently VP for Content Strategy at ScoopMedia. He has covered government IT and technology trends since 2004, as Editor-in-Chief of Government Computer News and Defense Systems (owned by The Washington Post ... View Full Bio
Gov Cloud: Executive Initiatives, Enterprise ExperienceIn this report, we'll examine the use of cloud services by government IT, including the requirements, executive initiatives and service qualifications, and auditing and procurement programs that make government cloud adoption unlike that in the private sector.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.