Government // Cloud computing
Commentary
1/31/2014
09:15 AM
Wyatt Kash
Wyatt Kash
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

FedRAMP Deadline Looms For Agencies, Cloud Providers

Federal agencies have until June 5 to certify their cloud systems. Here's what will happen if they miss the deadline.

Most Wasteful Government IT Projects Of 2013
Most Wasteful Government IT Projects Of 2013
(click image for larger view and for slideshow)

As we reported last week in an in-depth analysis, cloud service providers are queuing up for a rigorous government review process that certifies their service meets a strict baseline of security standards. This certification, known as the Federal Risk and Authorization Management Program, or FedRAMP, is mandatory for any cloud service provider looking to do business with federal agencies.

But the stakes are equally high for the federal agencies. The Office of Management and Budget, which mandated in 2011 that agencies begin using cloud services, has given them until June 5 to show that those services meet federal security standards.

A big question now is what happens if cloud service providers don't get the security certification by the June deadline? And where does that leave agencies trying to migrate slices of their IT operations to the cloud if their preferred provider's services have not yet been approved?

The short answer: "Call us," says Maria Roat, the General Services Administration director who oversees the FedRAMP certification program.  If agencies already are working with certain cloud providers, officials expect there will be some flexibility on the deadline.  

[Here's why Defense Department CIO Teri Takai believes FedRAMP Helps Everyone.]

Whether agencies will find themselves in the hot seat for failing to meet the June deadline, however, is OMB's call, not FedRAMP's, say officials familiar with the situation. OMB didn't immediately respond to requests for comment.

"Agencies may have legitimate reasons, but these requirements have been around for more than two years," says Tom McAndrew, executive VP of Coalfire Federal, which helps cloud service providers get FedRAMP-certified. The details of those requirements were spelled out in a seven-page OMB memo issued by US CIO Steven VanRoekel on Dec. 8, 2011.

US CIO Steven VanRoekel
US CIO Steven VanRoekel

Since then, OMB has been polling agencies every quarter through its PortfolioStat IT investment review program and other reports to determine if they are:

  • meeting the administration's "Cloud First" policy, that requires agencies to use cloud alternatives when available;
  • meeting FedRAMP requirements, demonstrating that a cloud service complies with the government's minimum security standards; or
  • able to justify why they're not meeting federal policies.

"If agencies don't have a robust plan to address cloud and security by now, then there will likely be increased pressure on the agency managers, directors, and CIOs" about their IT investment decisions, says McAndrew. OMB, which controls agency budgets, views FedRAMP's "certify once, use often" approach as an essential tool for reducing redundant costs for security and compliance. 

Time is running out, however, to meet the June deadline.

It typically takes cloud service providers six months to complete the FedRAMP certification process. The agency and cloud provider must first demonstrate that the service meets up to 298 specific security controls. There are no shortcuts, but once a service has been certified, other agencies can adopt it quickly.

Federal CIO Steven VanRoekel tweets about FedRAMP's impact on the cloud computing industry, initially reported by InformationWeek Government and featured on the ABC7 news show 'Government Matters.'
Federal CIO Steven VanRoekel tweets about FedRAMP's impact on the cloud computing industry, initially reported by InformationWeek Government and featured on the ABC7 news show "Government Matters."

Although the FedRAMP process is rigorous and expensive, its comprehensive baseline approach has caught the attention of cloud customers in the private sector.

That comes as good news for VanRoekel, who not only sees cloud computing producing significant IT savings across federal agencies, but also setting a more widely accepted security baseline for the cloud computing industry. As more cloud providers align with FedRAMP security standards, they'll produce more cost-saving cloud services for agencies to choose from.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Wyatt Kash is a former Editor of InformationWeek Government, and currently VP for Content Strategy at ScoopMedia. He has covered government IT and technology trends since 2004, as Editor-in-Chief of Government Computer News and Defense Systems (owned by The Washington Post ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
PeteNicoletti
50%
50%
PeteNicoletti,
User Rank: Apprentice
1/31/2014 | 2:20:29 PM
On Target!
Wyatt nailed it with this article.  If we didn't recently do a bug sweep in our conference rooms, I would have suspected that he was listening in to some of our recent conversations! As a leading CSP in the final stages of the FedRAMP process, our large Enterprise accounts are starting to pay attention to the additional security controls that FedRAMP offers.  They are requesting we provide certain capabilities that are beyond PCI, ISO, CSA, and SOC1/2 compliance.  In light of the recent breeches of PCI certified companies, the realization is that increasing certain security controls and implementing the continuous monitoring aspects of FedRAMP are far cheaper than a breech.  Our company is making very significant investments and realizing good success in this area.  FedRAMP sets a high bar... but we believe the bar should be higher in certain areas that we're also addressing.  I'm looking forward to more insight from Wyatt.
WKash
50%
50%
WKash,
User Rank: Author
1/31/2014 | 4:30:53 PM
Re: On Target!
Pete, you rasise an interesting point, now that credit card industry has suffered a sereis of massive breaches, FedRAMP is likely to get even greater attention than it might have a few months ago relative to FedRAMP offers.  PCI, ISO, CSA, and SOC1/2 standards.  Thanks for weighing in.  Good luck with your FedRAMP certification!
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
1/31/2014 | 6:34:48 PM
Which push is biggest?
Are the feds pushing harder to make sure agencies get into the cloud than they are to make sure those cloud services are secure, or vice versa?
WKash
50%
50%
WKash,
User Rank: Author
2/7/2014 | 4:55:00 PM
Re: Which push is biggest?
Interesting question. It's possible for agencies to set up private clouds -- managed data centers within their network domain, where users buy by the drink -- which must be meet Federal Information Security Management Act standards, but which don't necessarily have to get FedRAMP approved.  FedRAMP is largerly aimed at 3rd party cloud service providers who host govt systems on secured, multi-tenant platforms.

I think OMB's ability to control budgets, and hold agency execs accountable for IT investments, allows them to put pressure to agencies to get moving to the cloud to save money. Agency lawyers, that must follow the FISMA law and ensure security are also under pressure to hold the line and keep systems secure.  Who's got the upper hand probably depends agenc by agency.

 
Gov Cloud: Executive Initiatives, Enterprise Experience
Gov Cloud: Executive Initiatives, Enterprise Experience
In this report, we'll examine the use of cloud services by government IT, including the requirements, executive initiatives and service qualifications, and auditing and procurement programs that make government cloud adoption unlike that in the private sector.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.