Cloud Providers Align With FedRAMP Security Standards
Federal Risk and Authorization Management Program (FedRAMP), the government effort to hasten agencies' cloud adoption, has changed the way the cloud computing industry thinks about security.
At its foundation, FedRAMP builds on management and technical practices developed for federal agencies by NIST, whose recommendations are captured in a 457-page document (800-53 R4) and a companion guide (800-37).
"The power of the NIST framework is that it can be customized for specialized environments of operation or business situations," says NIST fellow Ron Ross, the framework's principal architect. FedRAMP officials took that template and filled in the blanks, specifying requirements for about 300 security controls common to most federal agencies, Ross says.
Agency CIOs, for example, must be able to demonstrate that their cloud service provider can describe and protect the boundaries of their systems, identify which devices are on those systems, identify how they're configured, and be able to physically and logically isolate their systems' software and hardware assets. Providers also must be able to perform continuous code scans and process electronic discovery requests, and if a high-risk incident occurs, be able to fix the problem within 30 days.
Those measures aren't new to federal agencies. What's new is CIOs trusting that a service approved at another agency will work for their own agency.
FedRAMP takes all the security requirements agencies had to follow for their conventional IT systems and "extends those controls specifically for cloud computing," says Melvin Greer, a chief strategist at Lockheed Martin. More important, "FedRAMP has codified security," Greer says. "It has detailed what we mean when we say cloud security." It also makes it easier for acquisition staffs to buy cloud services because "they can be assured services from FedRAMP-approved providers will meet all of their requirements."
Greer also believes third-party auditing will be a game changer. "We've seen innovation accelerate in the payment card industry" because providers have to adhere to common standards. "We think that's exactly what's going to happen with cloud computing."
JAB vs. agency authority One decision prospective cloud providers will have to make is whether to seek FedRAMP authorization directly through an agency, or apply through the Joint Authorization Board. A JAB authorization is provisional, meaning that agencies can use it as a baseline and, if necessary, add their own security controls, as the Defense Department plans to do. But it has the benefit of having satisfied the scrutiny of DOD, DHS, GSA, and the agency that sponsored the cloud service review.
Which is better? "It depends on where you sit," says Frank Baitman, CIO at the Department of Health and Human Services. For a provider, "it's a little bit quicker to go through an agency. There's no difference in terms of the baseline requests," he says.
For AWS, which already had been working with HHS, the choice was clearer. "We really began with the customer and worked backward," says AWS's Carlson. "We don't feel there is a lot of difference between the agency and the JAB ATOs. The JAB is a force multiplier." But its approval is more theoretical. "With the agency, you're doing practical workloads," Carlson says.
Baitman estimates that at HHS it took 15 full-time employees and some contractors six months to complete the FedRAMP authorization process for infrastructure services provided by AWS.
He credits AWS for "making a significant investment in time and people to make the process work."
Since HHS got the AWS ATO done last May, more than a dozen agency programs have used or acquired a cloud service, Baitman says. He estimates that HHS has already saved $1 million in operating costs, but he says bigger savings are to come.
Baitman's advice to cloud service providers: "Come to the table, roll up your sleeves, and realize it's going to take a lot of effort and serious commitment on your part to make it happen."
Carlson sees a bigger lesson: "You will see a lot of acquisition contracts embrace Fed-RAMP. That will be a key driver. Cloud companies won't be able to participate in any procurement or award without being able to achieve the FedRAMP standards."
The ramp ahead Despite the momentum, FedRAMP's Roat says the program still faces an uphill battle getting agencies -- and cloud service providers -- on board.
"I see [agency] business owners who are incredibly on board to move to the cloud, but their CIO shops are holding back," reluctant to give up parts of their IT operations, Roat says. "There's still a lot of education needed with the federal workforce" on how to securely integrate cloud computing. But she also sees how those efforts are paying off, pointing to the Interior Department, which authorized six cloud services within a week's review time, at half the usual cost, using FedRAMP-certified services.
Adds Dave McClure, the GSA associate administrator who oversees the FedRAMP office: "It takes a lot of culture busting." But considering what FedRAMP has accomplished over the past year, "the concept we created has proven itself out," he says.
GSA's Conrad says FedRAMP has accomplished something else. "The fact that we have more than two dozen third-party assessment organizations says we have created a new market," Conrad says. "We're driving a whole new business model for the cloud, not just for security."
Wyatt Kash, editor of InformationWeek Government, can be reached at email@example.com.
Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters. Also in the The Great Email Migration issue of InformationWeek Government: Lessons from a successful government data site. (Free registration required.)
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?