Cloud Providers Align With FedRAMP Security Standards - InformationWeek
Government // Cybersecurity
09:40 AM
Faster, More Effective Response With Threat Intelligence & Orchestration Playboo
Aug 31, 2017
Finding ways to increase speed, accuracy, and efficiency when responding to threats should be the ...Read More>>

Cloud Providers Align With FedRAMP Security Standards

Federal Risk and Authorization Management Program (FedRAMP), the government effort to hasten agencies' cloud adoption, has changed the way the cloud computing industry thinks about security.

At its foundation, FedRAMP builds on management and technical practices developed for federal agencies by NIST, whose recommendations are captured in a 457-page document (800-53 R4) and a companion guide (800-37). 

"The power of the NIST framework is that it can be customized for specialized environments of operation or business situations," says NIST fellow Ron Ross, the framework's principal architect. FedRAMP officials took that template and filled in the blanks, specifying requirements for about 300 security controls common to most federal agencies, Ross says.

Agency CIOs, for example, must be able to demonstrate that their cloud service provider can describe and protect the boundaries of their systems, identify which devices are on those systems, identify how they're configured, and be able to physically and logically isolate their systems' software and hardware assets. Providers also must be able to perform continuous code scans and process electronic discovery requests, and if a high-risk incident occurs, be able to fix the problem within 30 days.

Those measures aren't new to federal agencies. What's new is CIOs trusting that a service approved at another agency will work for their own agency.

FedRAMP takes all the security requirements agencies had to follow for their conventional IT systems and "extends those controls specifically for cloud computing," says Melvin Greer, a chief strategist at Lockheed Martin. More important, "FedRAMP has codified security," Greer says. "It has detailed what we mean when we say cloud security." It also makes it easier for acquisition staffs to buy cloud services because "they can be assured services from FedRAMP-approved providers will meet all of their requirements."

Greer also believes third-party auditing will be a game changer. "We've seen innovation accelerate in the payment card industry" because providers have to adhere to common standards. "We think that's exactly what's going to happen with cloud computing."

JAB vs. agency authority
One decision prospective cloud providers will have to make is whether to seek FedRAMP authorization directly through an agency, or apply through the Joint Authorization Board. A JAB authorization is provisional, meaning that agencies can use it as a baseline and, if necessary, add their own security controls, as the Defense Department plans to do. But it has the benefit of having satisfied the scrutiny of DOD, DHS, GSA, and the agency that sponsored the cloud service review.

Which is better? "It depends on where you sit," says Frank Baitman, CIO at the Department of Health and Human Services. For a provider, "it's a little bit quicker to go through an agency. There's no difference in terms of the baseline requests," he says.

For AWS, which already had been working with HHS, the choice was clearer. "We really began with the customer and worked backward," says AWS's Carlson. "We don't feel there is a lot of difference between the agency and the JAB ATOs. The JAB is a force multiplier." But its approval is more theoretical. "With the agency, you're doing practical workloads," Carlson says.

Baitman estimates that at HHS it took 15 full-time employees and some contractors six months to complete the FedRAMP authorization process for infrastructure services provided by AWS.

He credits AWS for "making a significant investment in time and people to make the process work."

Since HHS got the AWS ATO done last May, more than a dozen agency programs have used or acquired a cloud service, Baitman says. He estimates that HHS has already saved $1 million in operating costs, but he says bigger savings are to come.

Baitman's advice to cloud service providers: "Come to the table, roll up your sleeves, and realize it's going to take a lot of effort and serious commitment on your part to make it happen."

Carlson sees a bigger lesson: "You will see a lot of acquisition contracts embrace Fed-RAMP. That will be a key driver. Cloud companies won't be able to participate in any procurement or award without being able to achieve the FedRAMP standards."

The ramp ahead
Despite the momentum, FedRAMP's Roat says the program still faces an uphill battle getting agencies -- and cloud service providers -- on board.

"I see [agency] business owners who are incredibly on board to move to the cloud, but their CIO shops are holding back," reluctant to give up parts of their IT operations, Roat says. "There's still a lot of education needed with the federal workforce" on how to securely integrate cloud computing. But she also sees how those efforts are paying off, pointing to the Interior Department, which authorized six cloud services within a week's review time, at half the usual cost, using FedRAMP-certified services.

Adds Dave McClure, the GSA associate administrator who oversees the FedRAMP office: "It takes a lot of culture busting." But considering what FedRAMP has accomplished over the past year, "the concept we created has proven itself out," he says.

GSA's Conrad says FedRAMP has accomplished something else. "The fact that we have more than two dozen third-party assessment organizations says we have created a new market," Conrad says. "We're driving a whole new business model for the cloud, not just for security."

Wyatt Kash, editor of InformationWeek Government, can be reached at

Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters. Also in the The Great Email Migration issue of InformationWeek Government: Lessons from a successful government data site. (Free registration required.)

Download the entire February 2014 InformationWeek Government issue,
distributed in an all-digital format (registration required).

2 of 2
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
1/21/2014 | 10:33:50 AM
See Teresa Takai's take on JAB vs Agency ATO
The JAB vs Agency ATO difference isn't a debate. See quote from DoD CIO Takai to may help the deflections that occur about difference. Its not theoretical as some say, it is however rigourous.


"Cloud service providers can still receive direct operating authority from an individual federal agency, as Amazon Web Services did last May from the Department of Health and Human Services. But approval by FedRAMP's Joint Authorization Board, on which Takai sits, offers an added badge of authority that a cloud service conforms to a baseline of security standards that, subject to provisional review, will satisfy the demands of most federal agencies."


Beware / watch presentations made by CSP's, if one particular offering is FedRAMP accredited it does not "peanut butter" across all the CSP's offerings. Sat in many of presentations that one would assume the all the product offerings a CSP has; are accredited because one of the services has had an Agency ATO.
User Rank: Author
1/21/2014 | 1:50:26 PM
Re: See Teresa Takai's take on JAB vs Agency ATO
Thanks for raising issue regarding JAB vs agency authorization and its scope.  When the JAB gives a cloud service "Provisional Authority to Operate" it has satisfied the CIO offices at DOD, DHS and GSA, as opposed to a single agency. some would say that carries more weight. But the the FedRAMP authoriztion by an agency, as HHS did with Amazone Web Services, satisfies the same requirements.

Of equal importance, and thanks for raising this also, FedRAMP authoritiy lapplies to a specific service.  AWS, for instance has more than three dozen cloud services across multiple regions. What HHS appoved was two infrastructure services that specifically meet HHS' requirements.  Other agencies can now build on those services, but that does not mean other AWS services share the FedRAMP seal of approval.

User Rank: Apprentice
1/21/2014 | 2:55:09 PM
No doubt that "foundational security controls" built on a common standard are catching fire.
As a member of a leading 3PAO, I am excited to see this transformation as it occurs. What is equally impressive, is that organizations are not opting for a "lesser" standard, but instead, are adopting a standard that is challenging from the planning phase through continuous operation.
User Rank: Strategist
1/22/2014 | 7:20:17 AM
Managing Cloud Risks With Service Organization Controls
Great to see FEDRAMP accelerating cloud adoption rates however with the current state of cloud security in general this will at times fall short in ensuring an absolutely secure computing environment, bespoke security for cloud based apps is still the way forward along with using compliance standards such as SOC to manage security. I work for McGladrey and there's a whitepaper on the website that aligns well with this article that was created on this subject, readers will be interested in it. @ "Managing cloud risks with service organization controls"
User Rank: Apprentice
1/22/2014 | 12:26:30 PM
Standards are great but don't forget about evolving risk
The more we can get to a standards based security program, the easier for organizations to improve their security posture.  The risk that most organizations need to avoid is assuming that meeting the standards means they don't need to do anything thing else for security and IT risk.  This is an evolving landscape and NIST, PCI nor any other standard will ever keep up with the attackers will and desire to find new avenues for getting to the data and information that they want.  A strong security program that leverages a standard as a baseline but includes a strong risk analysis program that monitors and responds to the threat landscape is critical in the current environment we do are doing business in.
User Rank: Author
1/23/2014 | 9:02:45 PM
Re: Standards are great but don't forget about evolving risk
Affine, you make a fair point about the limits of using standards in an evolving cyber world. But FedRAMP isn't just about meeting a securitiy checklist, its also about assessing the risk posture of a system and being prepared for the risks. That's why they call it the Federal Risk and Authorization Management Program, not just the Federal Security and Authorization Management Program.
User Rank: Author
1/27/2014 | 4:15:02 PM
ABC7 News Program Takes Notice of FedRAMP story
Those who follow FedRAMP may be interested to note, Washington's ABC7 TV news program, Government Matters, featured a segment, based on this report, on this past Sunday's program.  Here's a link to the program:

How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll