A two-year-old government program created to spur cloud computing adoption by federal agencies is changing the way commercial cloud service providers, from Amazon to Microsoft, think about cloud security standards. The program, known as the Federal Risk and Authorization Management Program (FedRAMP), is also changing the playing field for service providers competing for the government's business and has attracted the attention of banks and other major private-sector companies.
FedRAMP began as a way to streamline the duplicative and time-consuming work every federal agency must perform in assessing the security risks associated with using cloud-computing systems. Convinced in early 2011 that cloud computing could reduce federal IT operating and capital investment costs significantly, White House and federal IT officials needed a way to fast-track the certification process.
By establishing a common set of security controls and an independent verification system, FedRAMP enabled agencies for the first time to acquire a cloud service authorized by another federal agency without having to duplicate the entire security authorization process.
Now managed by the General Services Administration, FedRAMP has gained traction over the past year, as all federal agencies race to meet a June 2014 deadline to have their cloud services FedRAMP-certified.
Eleven vendors -- including Akamai, Amazon Web Services, AT&T, Hewlett-Packard, IBM, Lockheed Martin, and Microsoft -- are now authorized to operate cloud services for all or some federal agencies. A dozen more services are moving through the application process and more are in the pipeline, says FedRAMP director Maria Roat.
Additionally, 27 third-party assessment organizations (and more are lining up) are approved to verify that a given cloud service satisfies, and continues to meet, a rigorous set of management controls and security standards legally required by federal agencies.
Cloud infrastructure services dominate the list of FedRAMP-approved services. Microsoft's Windows Azure is the only platform-as-a-service in the FedRAMP lineup. Late last month, Concurrent Technologies' virtual desktop management service became the first software-as-a-service to receive FedRAMP provisional approval. Fed-RAMP officials recognize they need to expand the range of available services to continue attracting agency participation.
FedRAMP has not only caught the attention of government agencies, but also private sector cloud service buyers. In the seven months since AWS received FedRAMP authority to operate a pair of cloud infrastructure services for the Department of Health and Human Services, 268 federal and state agencies have asked to review the vendor's FedRAMP authorization packages, says Teresa Carlson, Amazon Web Services' worldwide public sector VP. But it's the level of commercial sector interest in FedRAMP that surprised Carlson and AWS's director of risk and compliance, Chad Woolf.
"We've disclosed a summary of the controls we have for FedRAMP to some major banks. They were blown away by the comprehensive nature of the FedRAMP program," Woolf says. AWS has since assembled a package of documents for its commercial customers detailing what FedRAMP is all about.
Microsoft federal sector CTO Susie Adams has also seen a spike in interest. "As soon as we announced we had our [FedRAMP authority to operate], our phones were ringing off the hook," she says. The inquiries have come from Microsoft's developer partners and from governments and companies internationally. "State and local governments are starting to align their security requests with the FedRAMP standards," Adams says. "FedRAMP isn't widely adopted yet, but it is getting legs."
Defense Department CIO Teri Takai also senses FedRAMP's impact on the cloud computing market, and its potential to become more than just a government certification program. Takai, together with CIOs from the Department of Homeland Security and the General Services Administration, and their technical support teams, serve on Fed-RAMP's Joint Authorization Board, which reviews the independent assessments and decides whether cloud services can deliver on the government's stringent IT security standards. Vendors also have the option of earning FedRAMP authorization through a single agency, as Amazon did with HHS.
"FedRAMP in many ways is having a strong influence, and will have a strong influence, on the industry," Takai said in an exclusive interview with InformationWeek. "We are starting to see we're shaping how the industry looks at their security controls, in ways they can use to sell to the commercial industry. That was not something that I had the foresight to see," she says. FedRAMP officials also hadn't anticipated the need to create a FedRAMP branding guide for companies that want to advertise their certified services, she says.
Change the status quo After two years of piloting and evaluating cloud technology, federal agencies awarded more than $17 billion in cloud-related contracts in the fiscal year that ended on Sept. 30, says Deltek analyst Alex Rossino. That activity stems from a number of factors: federal IT mandates, pressure to cut costs, as well as the June deadline to meet FedRAMP security standards.
With federal agencies spending more than $80 billion annually on IT products and services, the shift to the cloud -- and to a new generation of providers -- is shaking up the industry status quo. IBM learned that the hard way last year when it lost a $600 million CIA cloud infrastructure contract to AWS.
Tom McAndrew, executive VP of Coalfire Systems, one of the leading third-party assessors accredited by FedRAMP, notes that federal contractors used to make money creating security controls. But agencies are now "throwing those out" in favor of more common standards, McAndrew says. Cloud service providers have been building systems using security standards established in the payment card industry or by the National Institute of Standards and Technology (NIST). "What we've seen in the last year [is that] nearly every cloud service provider is building foundational security controls to [align] with FedRAMP baseline standards. That's huge," he says. "We've never seen that before. It's a massive transformational shift that's impacting the cloud industry."
FedRAMP will have particular application in the healthcare, education, and finance industries, where security is critical, McAndrew predicts. IT vendors catering to those sectors will "recognize there's an offensive opportunity" to becoming FedRAMP-certified, he says. Coalfire, meanwhile, doubled its workforce last year, to roughly 200 employees, and expects to "double or triple in size next year," says McAndrew, to keep up with demand for cloud security verification.
Hard road to FedRAMP certification For cloud service providers, meeting Fed-RAMP's rigorous authorization requirements is "an egregious process, but it was meant to be," says John Keese, CEO of Autonomic Resources, the first cloud infrastructure provider to gain FedRAMP approval and the first to be reaccredited one year later. "It's not a once-and-done process," he says.
It can take providers six to nine months to put the needed management disciplines and technical controls in place. Then begins the continuous monitoring, reporting, and remediation work that FedRAMP requires. For vendors unused to working in the government IT environment, the cost of entry is stiff. Keese estimates it would take between $25 million and $35 million in engineering and staffing costs for a commercial cloud service provider to meet the government's demanding IT security standards.
Even experienced vendors are struggling with the extraordinary amount and level of security controls and documentation. Of the more than 80 cloud providers that have applied for FedRAMP certification, more than half aren't ready to go through the process, Kathy Conrad, a senior GSA official, stated recently.
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?