Feds Roll Out Cloud Security Guidelines
The voluntary FedRAMP program for private and public cloud services, expected to begin in the first quarter of 2011, would standardize security accreditation and certification.
The federal government Tuesday afternoon released draft plans for a program to ensure cloud services meet federal cybersecurity guidelines, which should help shore up lingering government concerns about cloud security and accelerate adoption of the technology.
More Government Insights
- Building a Hybrid Cloud in Government: It's not that Complicated
- IT Service Management Buyer’s Guide Live – a side-by-side comparison of suppliers
- Forrester Whitepaper: IT Operations Managers Must Rethink Their Approach to Private Cloud
- Bloomberg BusinessWeek Agility for Differentiation
The government expects the program, the Federal Risk and Authorization Management Program (FedRAMP), to be operational by the first quarter of 2011. Through the voluntary program, developed with cross-government and industry support over the last 18 months, cloud services would go through a standardized security accreditation and certification process, and any authorization could then be leveraged by other agencies. "By simplifying how agencies procure cloud computing solutions, we are paving the way for more cost-effective and energy-efficient service delivery for the public, while reducing the federal government's data center footprint." federal CIO Vivek Kundra said in a statement.
The Obama administration has been pushing federal agencies to adopt cloud computing to help save the government money, with Kundra and other top officials championing the technology and instituting policies, such as data center consolidation requirements, that could help spark a shift to the cloud. However, federal IT managers have consistently raised security concerns as the biggest perceived barrier to adoption.
The debate over cloud security recently reached a boil in some government quarters. Google sued the Department of Interior last month for favoring Microsoft's cloud email service in a proposed acquisition. In the suit, Google claims that the agency's CTO told it that its product wasn't compliant with agency security requirements, but the agency then declined to provide those security requirements.
In addition to inconsistent requirements and fears about who controls the underlying data, the government's security concerns arise in part because cloud computing is a new paradigm that must be shoehorned into the security requirements of regulations like the Federal Information Management Security Act, which governs federal cybersecurity for most of government. FedRAMP achieves that by mapping out the baseline required security controls for cloud systems, and thus creating a consistent set of security guidelines for cloud computing.
FedRAMP also aims to eliminate a duplicative, costly process to certify and accredit applications. In the past, each agency would typically take apps and services through their own accreditation process. However, in the shared-infrastructure environment of the cloud, such a process is redundant, and FedRAMP allows services to be accredited once and have that accreditation leveraged by all government agencies.
The FedRAMP draft includes three major pieces: a set of cloud computing security baseline requirements; a process to continuously monitor cloud security; and a description of proposed operational approaches to authorizing and assessing cloud-based systems.