As we reported last week in an in-depth analysis, cloud service providers are queuing up for a rigorous government review process that certifies their service meets a strict baseline of security standards. This certification, known as the Federal Risk and Authorization Management Program, or FedRAMP, is mandatory for any cloud service provider looking to do business with federal agencies.
But the stakes are equally high for the federal agencies. The Office of Management and Budget, which mandated in 2011 that agencies begin using cloud services, has given them until June 5 to show that those services meet federal security standards.
A big question now is what happens if cloud service providers don't get the security certification by the June deadline? And where does that leave agencies trying to migrate slices of their IT operations to the cloud if their preferred provider's services have not yet been approved?
The short answer: "Call us," says Maria Roat, the General Services Administration director who oversees the FedRAMP certification program. If agencies already are working with certain cloud providers, officials expect there will be some flexibility on the deadline.
Whether agencies will find themselves in the hot seat for failing to meet the June deadline, however, is OMB's call, not FedRAMP's, say officials familiar with the situation. OMB didn't immediately respond to requests for comment.
"Agencies may have legitimate reasons, but these requirements have been around for more than two years," says Tom McAndrew, executive VP of Coalfire Federal, which helps cloud service providers get FedRAMP-certified. The details of those requirements were spelled out in a seven-page OMB memo issued by US CIO Steven VanRoekel on Dec. 8, 2011.
Since then, OMB has been polling agencies every quarter through its PortfolioStat IT investment review program and other reports to determine if they are:
- meeting the administration's "Cloud First" policy, that requires agencies to use cloud alternatives when available;
- meeting FedRAMP requirements, demonstrating that a cloud service complies with the government's minimum security standards; or
- able to justify why they're not meeting federal policies.
"If agencies don't have a robust plan to address cloud and security by now, then there will likely be increased pressure on the agency managers, directors, and CIOs" about their IT investment decisions, says McAndrew. OMB, which controls agency budgets, views FedRAMP's "certify once, use often" approach as an essential tool for reducing redundant costs for security and compliance.
Time is running out, however, to meet the June deadline.
It typically takes cloud service providers six months to complete the FedRAMP certification process. The agency and cloud provider must first demonstrate that the service meets up to 298 specific security controls. There are no shortcuts, but once a service has been certified, other agencies can adopt it quickly.
Although the FedRAMP process is rigorous and expensive, its comprehensive baseline approach has caught the attention of cloud customers in the private sector.
That comes as good news for VanRoekel, who not only sees cloud computing producing significant IT savings across federal agencies, but also setting a more widely accepted security baseline for the cloud computing industry. As more cloud providers align with FedRAMP security standards, they'll produce more cost-saving cloud services for agencies to choose from.
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.