Feds Developing Cloud Security Program - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:19 PM
Connect Directly

Feds Developing Cloud Security Program

Proposed FedRAMP effort would make it easier for federal agencies to overcome compliance hurdles and participate in the Obama administration's drive toward the cloud.

In an move that could accelerate the federal government's shift toward cloud computing, an inter-agency working group is developing a unified, government-wide risk management program that should greatly decrease the amount of security work agencies need to do to get up and running on cloud services.

Security has been one of the major barriers to the government's adoption of cloud computing, and the proposed new effort, currently called the Federal Risk and Authorizatation Management Program Pilot, or FedRAMP, would allow agencies that sign up for a new, centralized approach to solving thorny security problems like certification and accreditation.

If implemented, FedRAMP will develop common security requirements for specific types of systems, provide ongoing risk assessments and continuous monitoring, and carry out government-wide security authorizations that will be posted on a public Web site. Agencies would also be able to see what security controls have been implemented in different products and services. This way, complicated certification and accreditation processes would only need to be carried out once per cloud service, and agencies could leverage shared security management services.

Today, each agency that wants to adopt cloud computing technology, whether it's Salesforce.com or the Department of the Interior's National Business Center, typically duplicates tests already done by other agencies to ensure the service they're signing up for meets the government's security requirements. That leads to longer-than-necessary lead times to adoption and decisions not to adopt because the certification and accreditation process can be tedious.

Additionally, agencies each have their own flavor of security policies, despite government-wide risk management framework guidelines set by the National Institute for Standards and Technology, and government-wide security efforts like the Einstein intrusion detection and prevention system, or the Trusted Internet Connections initiative. That leads to vexing complexity for vendors and inconsistencies among different agencies, even though all agencies operate on a common core of security requirements.

FedRAMP won't supplant existing agency authority and responsibility to manage information security, said Peter Mell, a senior computer scientist at NIST and vice chair of the Cloud Computing Advisory Council (the body that initially proposed FedRAMP), but it will provide agencies with a more efficient way to carry out those responsibilities.

"The benefit is that this would decrease agency workload with respect to large, outsourced systems and government-wide systems," Mell said, pointing to the possibility of lower costs and accelerated deployments as a result.

Initially, the effort would focus exclusively on public and private cloud computing technologies -- software-as-a-service, infrastructure-as-a-service, and platforms-as-a-service -- but could eventually branch out to cover traditional Web hosting and "other domains," according to Mell.

Since different agencies have different security requirements, FedRAMP's planners are working with agencies to develop baselines for specific domains that will be generally acceptable for most agencies. Agencies could then leverage the government-wide authorizations, and for any that need to do additional work themselves, most of the work will have already been done for them.

The formation of the FedRAMP project began last October in the inter-agency Cloud Computing Advisory Council's security working group, but it shares its philosophical underpinning with some of the principal ideas of federal CIO Vivek Kundra, who often speaks of the need to make it easier for the government to adopt new information technologies.

FedRAMP passed an initial test when it was approved by the Cloud Executive Steering Committee, a voting body of government CIOs, in January. Now, the Interagency Cloud Working Group -- headed by Kundra -- is determining how best to implement the process. The government is ready to move rapidly into a pilot phase upon Kundra's approval, Mell said.

FedRAMP would have a dedicated staff to do things like oversee continuous monitoring and update certifications and accreditations, but Mell says it's too early to say which agencies and government officials might take lead roles. However, NIST is playing an important role by helping to develop the "technical foundation" to make the effort possible and by coordinating between agencies to turn vision into reality.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

New Storage Trends Promise to Help Enterprises Handle a Data Avalanche
John Edwards, Technology Journalist & Author,  4/1/2021
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
How to Submit a Column to InformationWeek
InformationWeek Staff 4/9/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll