Feds Developing Cloud Security Program

Proposed FedRAMP effort would make it easier for federal agencies to overcome compliance hurdles and participate in the Obama administration's drive toward the cloud.
In an move that could accelerate the federal government's shift toward cloud computing, an inter-agency working group is developing a unified, government-wide risk management program that should greatly decrease the amount of security work agencies need to do to get up and running on cloud services.

Security has been one of the major barriers to the government's adoption of cloud computing, and the proposed new effort, currently called the Federal Risk and Authorizatation Management Program Pilot, or FedRAMP, would allow agencies that sign up for a new, centralized approach to solving thorny security problems like certification and accreditation.

If implemented, FedRAMP will develop common security requirements for specific types of systems, provide ongoing risk assessments and continuous monitoring, and carry out government-wide security authorizations that will be posted on a public Web site. Agencies would also be able to see what security controls have been implemented in different products and services. This way, complicated certification and accreditation processes would only need to be carried out once per cloud service, and agencies could leverage shared security management services.

Today, each agency that wants to adopt cloud computing technology, whether it's or the Department of the Interior's National Business Center, typically duplicates tests already done by other agencies to ensure the service they're signing up for meets the government's security requirements. That leads to longer-than-necessary lead times to adoption and decisions not to adopt because the certification and accreditation process can be tedious.

Additionally, agencies each have their own flavor of security policies, despite government-wide risk management framework guidelines set by the National Institute for Standards and Technology, and government-wide security efforts like the Einstein intrusion detection and prevention system, or the Trusted Internet Connections initiative. That leads to vexing complexity for vendors and inconsistencies among different agencies, even though all agencies operate on a common core of security requirements.

FedRAMP won't supplant existing agency authority and responsibility to manage information security, said Peter Mell, a senior computer scientist at NIST and vice chair of the Cloud Computing Advisory Council (the body that initially proposed FedRAMP), but it will provide agencies with a more efficient way to carry out those responsibilities.

"The benefit is that this would decrease agency workload with respect to large, outsourced systems and government-wide systems," Mell said, pointing to the possibility of lower costs and accelerated deployments as a result.

Initially, the effort would focus exclusively on public and private cloud computing technologies -- software-as-a-service, infrastructure-as-a-service, and platforms-as-a-service -- but could eventually branch out to cover traditional Web hosting and "other domains," according to Mell.

Since different agencies have different security requirements, FedRAMP's planners are working with agencies to develop baselines for specific domains that will be generally acceptable for most agencies. Agencies could then leverage the government-wide authorizations, and for any that need to do additional work themselves, most of the work will have already been done for them.

The formation of the FedRAMP project began last October in the inter-agency Cloud Computing Advisory Council's security working group, but it shares its philosophical underpinning with some of the principal ideas of federal CIO Vivek Kundra, who often speaks of the need to make it easier for the government to adopt new information technologies.

FedRAMP passed an initial test when it was approved by the Cloud Executive Steering Committee, a voting body of government CIOs, in January. Now, the Interagency Cloud Working Group -- headed by Kundra -- is determining how best to implement the process. The government is ready to move rapidly into a pilot phase upon Kundra's approval, Mell said.

FedRAMP would have a dedicated staff to do things like oversee continuous monitoring and update certifications and accreditations, but Mell says it's too early to say which agencies and government officials might take lead roles. However, NIST is playing an important role by helping to develop the "technical foundation" to make the effort possible and by coordinating between agencies to turn vision into reality.