Government // Cybersecurity
News
1/21/2014
09:40 AM
Connect Directly
RSS
E-Mail
50%
50%

Cloud Providers Align With FedRAMP Security Standards

Federal Risk and Authorization Management Program (FedRAMP), the government effort to hasten agencies' cloud adoption, has changed the way the cloud computing industry thinks about security.

Download the entire February 2014 InformationWeek Government issue, distributed in an all-digital format (registration required).

A two-year-old government program created to spur cloud computing adoption by federal agencies is changing the way commercial cloud service providers, from Amazon to Microsoft, think about cloud security standards. The program, known as the Federal Risk and Authorization Management Program (FedRAMP), is also changing the playing field for service providers competing for the government's business and has attracted the attention of banks and other major private-sector companies.

FedRAMP began as a way to streamline the duplicative and time-consuming work every federal agency must perform in assessing the security risks associated with using cloud-computing systems. Convinced in early 2011 that cloud computing could reduce federal IT operating and capital investment costs significantly, White House and federal IT officials needed a way to fast-track the certification process.

By establishing a common set of security controls and an independent verification system, FedRAMP enabled agencies for the first time to acquire a cloud service authorized by another federal agency without having to duplicate the entire security authorization process.

Now managed by the General Services Administration, FedRAMP has gained traction over the past year, as all federal agencies race to meet a June 2014 deadline to have their cloud services FedRAMP-certified.

Eleven vendors -- including Akamai, Amazon Web Services, AT&T, Hewlett-Packard, IBM, Lockheed Martin, and Microsoft -- are now authorized to operate cloud services for all or some federal agencies. A dozen more services are moving through the application process and more are in the pipeline, says FedRAMP director Maria Roat.

[Want more on the security of cloud services? Read Cloud Gazing: 3 Security Trends To Watch.]

Additionally, 27 third-party assessment organizations (and more are lining up) are approved to verify that a given cloud service satisfies, and continues to meet, a rigorous set of management controls and security standards legally required by federal agencies.

Cloud infrastructure services dominate the list of FedRAMP-approved services. Microsoft's Windows Azure is the only platform-as-a-service in the FedRAMP lineup. Late last month, Concurrent Technologies' virtual desktop management service became the first software-as-a-service to receive FedRAMP provisional approval. Fed-RAMP officials recognize they need to expand the range of available services to continue attracting agency participation.

FedRAMP has not only caught the attention of government agencies, but also private sector cloud service buyers. In the seven months since AWS received FedRAMP authority to operate a pair of cloud infrastructure services for the Department of Health and Human Services, 268 federal and state agencies have asked to review the vendor's FedRAMP authorization packages, says Teresa Carlson, Amazon Web Services' worldwide public sector VP. But it's the level of commercial sector interest in FedRAMP that surprised Carlson and AWS's director of risk and compliance, Chad Woolf.

"We've disclosed a summary of the controls we have for FedRAMP to some major banks. They were blown away by the comprehensive nature of the FedRAMP program," Woolf says. AWS has since assembled a package of documents for its commercial customers detailing what FedRAMP is all about.

Microsoft federal sector CTO Susie Adams has also seen a spike in interest. "As soon as we announced we had our [FedRAMP authority to operate], our phones were ringing off the hook," she says. The inquiries have come from Microsoft's developer partners and from governments and companies internationally. "State and local governments are starting to align their security requests with the FedRAMP standards," Adams says. "FedRAMP isn't widely adopted yet, but it is getting legs."

Defense Department CIO Teri Takai also senses FedRAMP's impact on the cloud computing market, and its potential to become more than just a government certification program. Takai, together with CIOs from the Department of Homeland Security and the General Services Administration, and their technical support teams, serve on Fed-RAMP's Joint Authorization Board, which reviews the independent assessments and decides whether cloud services can deliver on the government's stringent IT security standards. Vendors also have the option of earning FedRAMP authorization through a single agency, as Amazon did with HHS.

"FedRAMP in many ways is having a strong influence, and will have a strong influence, on the industry," Takai said in an exclusive interview with InformationWeek. "We are starting to see we're shaping how the industry looks at their security controls, in ways they can use to sell to the commercial industry. That was not something that I had the foresight to see," she says. FedRAMP officials also hadn't anticipated the need to create a FedRAMP branding guide for companies that want to advertise their certified services, she says.

Change the status quo
After two years of piloting and evaluating cloud technology, federal agencies awarded more than $17 billion in cloud-related contracts in the fiscal year that ended on Sept. 30, says Deltek analyst Alex Rossino. That activity stems from a number of factors: federal IT mandates, pressure to cut costs, as well as the June deadline to meet FedRAMP security standards.

With federal agencies spending more than $80 billion annually on IT products and services, the shift to the cloud -- and to a new generation of providers -- is shaking up the industry status quo. IBM learned that the hard way last year when it lost a $600 million CIA cloud infrastructure contract to AWS.

Tom McAndrew, executive VP of Coalfire Systems, one of the leading third-party assessors accredited by FedRAMP, notes that federal contractors used to make money creating security controls. But agencies are now "throwing those out" in favor of more common standards, McAndrew says. Cloud service providers have been building systems using security standards established in the payment card industry or by the National Institute of Standards and Technology (NIST). "What we've seen in the last year [is that] nearly every cloud service provider is building foundational security controls to [align] with FedRAMP baseline standards. That's huge," he says. "We've never seen that before. It's a massive transformational shift that's impacting the cloud industry."

FedRAMP will have particular application in the healthcare, education, and finance industries, where security is critical, McAndrew predicts. IT vendors catering to those sectors will "recognize there's an offensive opportunity" to becoming FedRAMP-certified, he says. Coalfire, meanwhile, doubled its workforce last year, to roughly 200 employees, and expects to "double or triple in size next year," says McAndrew, to keep up with demand for cloud security verification.

Hard road to FedRAMP certification
For cloud service providers, meeting Fed-RAMP's rigorous authorization requirements is "an egregious process, but it was meant to be," says John Keese, CEO of Autonomic Resources, the first cloud infrastructure provider to gain FedRAMP approval and the first to be reaccredited one year later. "It's not a once-and-done process," he says.

It can take providers six to nine months to put the needed management disciplines and technical controls in place. Then begins the continuous monitoring, reporting, and remediation work that FedRAMP requires. For vendors unused to working in the government IT environment, the cost of entry is stiff. Keese estimates it would take between $25 million and $35 million in engineering and staffing costs for a commercial cloud service provider to meet the government's demanding IT security standards.

Even experienced vendors are struggling with the extraordinary amount and level of security controls and documentation. Of the more than 80 cloud providers that have applied for FedRAMP certification, more than half aren't ready to go through the process, Kathy Conrad, a senior GSA official, stated recently.

 

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Author
1/27/2014 | 4:15:02 PM
ABC7 News Program Takes Notice of FedRAMP story
Those who follow FedRAMP may be interested to note, Washington's ABC7 TV news program, Government Matters, featured a segment, based on this report, on this past Sunday's program.  Here's a link to the program: http://www.wjla.com/articles/2014/01/government-matters---jan-26-2014-99605.html

 
WKash
50%
50%
WKash,
User Rank: Author
1/23/2014 | 9:02:45 PM
Re: Standards are great but don't forget about evolving risk
Affine, you make a fair point about the limits of using standards in an evolving cyber world. But FedRAMP isn't just about meeting a securitiy checklist, its also about assessing the risk posture of a system and being prepared for the risks. That's why they call it the Federal Risk and Authorization Management Program, not just the Federal Security and Authorization Management Program.
Affine
50%
50%
Affine,
User Rank: Apprentice
1/22/2014 | 12:26:30 PM
Standards are great but don't forget about evolving risk
The more we can get to a standards based security program, the easier for organizations to improve their security posture.  The risk that most organizations need to avoid is assuming that meeting the standards means they don't need to do anything thing else for security and IT risk.  This is an evolving landscape and NIST, PCI nor any other standard will ever keep up with the attackers will and desire to find new avenues for getting to the data and information that they want.  A strong security program that leverages a standard as a baseline but includes a strong risk analysis program that monitors and responds to the threat landscape is critical in the current environment we do are doing business in.
JaCa
50%
50%
JaCa,
User Rank: Apprentice
1/22/2014 | 7:20:17 AM
Managing Cloud Risks With Service Organization Controls
Great to see FEDRAMP accelerating cloud adoption rates however with the current state of cloud security in general this will at times fall short in ensuring an absolutely secure computing environment, bespoke security for cloud based apps is still the way forward along with using compliance standards such as SOC to manage security. I work for McGladrey and there's a whitepaper on the website that aligns well with this article that was created on this subject, readers will be interested in it. @ "Managing cloud risks with service organization controls"   http://bit.ly/1a2LQnE
RB22
50%
50%
RB22,
User Rank: Apprentice
1/21/2014 | 2:55:09 PM
No doubt that "foundational security controls" built on a common standard are catching fire.
As a member of a leading 3PAO, I am excited to see this transformation as it occurs. What is equally impressive, is that organizations are not opting for a "lesser" standard, but instead, are adopting a standard that is challenging from the planning phase through continuous operation.
WKash
50%
50%
WKash,
User Rank: Author
1/21/2014 | 1:50:26 PM
Re: See Teresa Takai's take on JAB vs Agency ATO
Thanks for raising issue regarding JAB vs agency authorization and its scope.  When the JAB gives a cloud service "Provisional Authority to Operate" it has satisfied the CIO offices at DOD, DHS and GSA, as opposed to a single agency. some would say that carries more weight. But the the FedRAMP authoriztion by an agency, as HHS did with Amazone Web Services, satisfies the same requirements.


Of equal importance, and thanks for raising this also, FedRAMP authoritiy lapplies to a specific service.  AWS, for instance has more than three dozen cloud services across multiple regions. What HHS appoved was two infrastructure services that specifically meet HHS' requirements.  Other agencies can now build on those services, but that does not mean other AWS services share the FedRAMP seal of approval.

 
JFKHILTON
50%
50%
JFKHILTON,
User Rank: Apprentice
1/21/2014 | 10:33:50 AM
See Teresa Takai's take on JAB vs Agency ATO
The JAB vs Agency ATO difference isn't a debate. See quote from DoD CIO Takai to may help the deflections that occur about difference. Its not theoretical as some say, it is however rigourous.

 

"Cloud service providers can still receive direct operating authority from an individual federal agency, as Amazon Web Services did last May from the Department of Health and Human Services. But approval by FedRAMP's Joint Authorization Board, on which Takai sits, offers an added badge of authority that a cloud service conforms to a baseline of security standards that, subject to provisional review, will satisfy the demands of most federal agencies."

 

Beware / watch presentations made by CSP's, if one particular offering is FedRAMP accredited it does not "peanut butter" across all the CSP's offerings. Sat in many of presentations that one would assume the all the product offerings a CSP has; are accredited because one of the services has had an Agency ATO.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.