Back in 2011, when the Office of Management and Budget set June 5, 2014, as the deadline for agencies and cloud service providers to meet a new set of cloud security standards called FedRAMP, government agencies had only just begun creating plans to migrate to these cloud platforms.
At the time, FedRAMP -- the Federal Risk and Authorization Management Program -- was still evolving, but it at least prompted agencies to start thinking about cloud security and keep it in the forefront of their tech decision-making. But thinking and planning are far different from actually executing -- and that is where we are now with June 5 approaching. That's raising lots of questions, including who will be ready? Is there enough time to get ready? What does FedRAMP-compliance actually mean? Why does it matter? The short answer: It depends. Here's why.
[Officials release details on firms seeking government's cloud security seal of approval. Read FedRAMP Cloud Security Approval: Look Who Applied.]
Because no two cloud service providers (CSPs) offer the exact same product or service -- and given the risk of standing up an application within a non-FedRAMP cloud -- government agencies have turned to systems integrators for help. They can identify the CSPs best qualified to meet their needs for migration -- and for managing daily service operations, which is an extremely important part of the successful deployment.
FedRAMP compliance primarily guarantees that the CSP's infrastructure, from the physical data center through and including the hypervisor, is secure and meets a specific set of standards. Think of this as the securing of the cloud. What's not included in these standards is securing within the cloud.
What securing within the cloud means is designing, deploying, and managing the specific security controls crafted around the agency's applications. This can include patching operating systems, setting up the firewalls, intrusion protection and detection, anti-virus and anti-malware software, and connecting external agency networks such as NIPRNet and SIPRnet, as well as the remediation of potential security threats within the cloud, actual breaches, or both.
The responsibility for these types of operating issues typically belongs to the agency, or the systems integrator managing the application for the agency. That responsibility is sometimes referred to as the missing link in the cloud. Moving an application to a FedRAMP-compliant cloud does not alleviate the ongoing daily management responsibilities. If anything, moving to a cloud-based solution means accepting more responsibility for the security of the applications.
When June 5 rolls around, if any agency's CSP is not FedRAMP-certified, that agency is taking a big risk. An agency's IT leaders can opt to obtain a waiver, if they have reason to take that step. But there is a real possibility the agency might be denied the waiver, meaning it would not receive authority to operate an application in the cloud service.
According to GSA's FedRAMP website, as of May 16, 2014, there were 11 FedRAMP-certified cloud services available for government agencies to select from. There are more than 20 additional CSPs close to being granted authority to operate, and even more CSPs in the queue waiting to go through the certification process. That's remarkable when one considers these CSPs made the investment to deploy cloud services capable of meeting FedRAMP's rigorous controls in a span of just two years.
How well agencies meet the spirit, if not the intent, of the deadline remains an open question. Given where agencies stood when FedRAMP was first conceived, there's little question agencies are better prepared to move to the cloud today than they might have been without FedRAMP.
The larger question to ask, though, is will FedRAMP be the bridge to help rebuild citizen confidence in government computing and technology deployments? The answer to that still lies in the clouds.
NIST's cyber security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.