The federal government's newly detailed voluntary, standardized process to make sure cloud computing services meet government security requirements was supposed to facilitate the adoption of innovative technologies, but in its current iteration, it may fall short.
The federal government's newly detailed voluntary, standardized process to make sure cloud computing services meet government security requirements was supposed to facilitate the adoption of innovative technologies, but in its current iteration, it may fall short.First, a bit of background to set the stage. Today, agencies typically take apps and services through their own security accreditation processes, regardless of whether other agencies have already authorized the same systems for government use. The FedRAMP process is designed to eliminate duplication and reduce costs with a standardized process. Once a service is certified by FedRAMP, other agencies can leverage the certification, thereby speeding up time to deployment for cloud services.
However, one problem is that FedRAMP, as it's currently proposed (it's was released earlier this week in draft form) requires that agencies looking to deploy particular services sponsor those services' certifications. Vendors can't request certification on their own, nor can the Office of Management and Budget (which heads up IT policy for the feds) or General Services Administration (which is running FedRAMP) simply pick and choose a list of suppliers whose services they want to certify.
That may keep the burden on the young FedRAMP process low by pushing only those services through the process that are going to be adopted by agencies. However, it may also shut-out start-ups.
The first companies whose products get certified on FedRAMP will inevitably be the big players who are actively courting government customers and/or already have active government deployments. IBM, Microsoft and Google have all said they have FedRAMP certifications in waiting, and companies like Amazon.com, EMC and Salesforce.com are sure to be close on their heels.
Security accreditation is estimated to cost six figures, and that's a big chunk of change to drop on an unproven start-up that may only have one product an agency wants to use. What's an agency to do? Is it to drop $100,000 to certify a start-up's niche service that meets all of an agency's needs, or simply leverage the pre-existing authorization of a Microsoft product that meets most of its needs? The prudent course might be to leverage Microsoft's authorization rather than open up the wallet, especially in a period of budget crunches.
Unfortunately, that'll keep the universe of authorized services relatively small, and the same services may be used over and over. There's got to be a better way to close the gap between the government and start-ups, many of whom already shy away from government business because it's too expensive and arduous.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.