A two-year-old government program created to spur cloud computing adoption by federal agencies is changing the way commercial cloud service providers, from Amazon to Microsoft, think about cloud security standards. The program, known as the Federal Risk and Authorization Management Program (FedRAMP), is also changing the playing field for service providers competing for the government's business and has attracted the attention of banks and other major private-sector companies.
FedRAMP began as a way to streamline the duplicative and time-consuming work every federal agency must perform in assessing the security risks associated with using cloud-computing systems. Convinced in early 2011 that cloud computing could reduce federal IT operating and capital investment costs significantly, White House and federal IT officials needed a way to fast-track the certification process.
By establishing a common set of security controls and an independent verification system, FedRAMP enabled agencies for the first time to acquire a cloud service authorized by another federal agency without having to duplicate the entire security authorization process.
Now managed by the General Services Administration, FedRAMP has gained traction over the past year, as all federal agencies race to meet a June 2014 deadline to have their cloud services FedRAMP-certified.
Eleven vendors -- including Akamai, Amazon Web Services, AT&T, Hewlett-Packard, IBM, Lockheed Martin, and Microsoft -- are now authorized to operate cloud services for all or some federal agencies. A dozen more services are moving through the application process and more are in the pipeline, says FedRAMP director Maria Roat.
[Want more on the security of cloud services? Read Cloud Gazing: 3 Security Trends To Watch.]
Additionally, 27 third-party assessment organizations (and more are lining up) are approved to verify that a given cloud service satisfies, and continues to meet, a rigorous set of management controls and security standards legally required by federal agencies.
Cloud infrastructure services dominate the list of FedRAMP-approved services. Microsoft's Windows Azure is the only platform-as-a-service in the FedRAMP lineup. Late last month, Concurrent Technologies' virtual desktop management service became the first software-as-a-service to receive FedRAMP provisional approval. Fed-RAMP officials recognize they need to expand the range of available services to continue attracting agency participation.
FedRAMP has not only caught the attention of government agencies, but also private sector cloud service buyers. In the seven months since AWS received FedRAMP authority to operate a pair of cloud infrastructure services for the Department of Health and Human Services, 268 federal and state agencies have asked to review the vendor's FedRAMP authorization packages, says Teresa Carlson, Amazon Web Services' worldwide public sector VP. But it's the level of commercial sector interest in FedRAMP that surprised Carlson and AWS's director of risk and compliance, Chad Woolf.
"We've disclosed a summary of the controls we have for FedRAMP to some major banks. They were blown away by the comprehensive nature of the FedRAMP program," Woolf says. AWS has since assembled a package of documents for its commercial customers detailing what FedRAMP is all about.
Microsoft federal sector CTO Susie Adams has also seen a spike in interest. "As soon as we announced we had our [FedRAMP authority to operate], our phones were ringing off the hook," she says. The inquiries have come from Microsoft's developer partners and from governments and companies internationally. "State and local governments are starting to align their security requests with the FedRAMP standards," Adams says. "FedRAMP isn't widely adopted yet, but it is getting legs."
Defense Department CIO Teri Takai also senses FedRAMP's impact on the cloud computing market, and its potential to become more than just a government certification program. Takai, together with CIOs from the Department of Homeland Security and the General Services Administration, and their technical support teams, serve on Fed-RAMP's Joint Authorization Board, which reviews the independent assessments and decides whether cloud services can deliver on the government's stringent IT security standards. Vendors also have the option of earning FedRAMP authorization through a single agency, as Amazon did with HHS.
"FedRAMP in many ways is having a strong influence, and will have a strong influence, on the industry," Takai said in an exclusive interview with InformationWeek. "We are starting to see we're shaping how the industry looks at their security controls, in ways they can use to sell to the commercial industry. That was not something that I had the foresight to see," she says. FedRAMP officials also hadn't anticipated the need to create a FedRAMP branding guide for companies that want to advertise their certified services, she says.
Change the status quo
After two years of piloting and evaluating cloud technology, federal agencies awarded more than $17 billion in cloud-related contracts in the fiscal year that ended on Sept. 30, says Deltek analyst Alex Rossino. That activity stems from a number of factors: federal IT mandates, pressure to cut costs, as well as the June deadline to meet FedRAMP security standards.
With federal agencies spending more than $80 billion annually on IT products and services, the shift to the cloud -- and to a new generation of providers -- is shaking up the industry status quo. IBM learned that the hard way last year when it lost a $600 million CIA cloud infrastructure contract to AWS.
Tom McAndrew, executive VP of Coalfire Systems, one of the leading third-party assessors accredited by FedRAMP, notes that federal contractors used to make money creating security controls. But agencies are now "throwing those out" in favor of more common standards, McAndrew says. Cloud service providers have been building systems using security standards established in the payment card industry or by the National Institute of Standards and Technology (NIST). "What we've seen in the last year [is that] nearly every cloud service provider is building foundational security controls to [align] with FedRAMP baseline standards. That's huge," he says. "We've never seen that before. It's a massive transformational shift that's impacting the cloud industry."
FedRAMP will have particular application in the healthcare, education, and finance industries, where security is critical, McAndrew predicts. IT vendors catering to those sectors will "recognize there's an offensive opportunity" to becoming FedRAMP-certified, he says. Coalfire, meanwhile, doubled its workforce last year, to roughly 200 employees, and expects to "double or triple in size next year," says McAndrew, to keep up with demand for cloud security verification.
Hard road to FedRAMP certification
For cloud service providers, meeting Fed-RAMP's rigorous authorization requirements is "an egregious process, but it was meant to be," says John Keese, CEO of Autonomic Resources, the first cloud infrastructure provider to gain FedRAMP approval and the first to be reaccredited one year later. "It's not a once-and-done process," he says.
It can take providers six to nine months to put the needed management disciplines and technical controls in place. Then begins the continuous monitoring, reporting, and remediation work that FedRAMP requires. For vendors unused to working in the government IT environment, the cost of entry is stiff. Keese estimates it would take between $25 million and $35 million in engineering and staffing costs for a commercial cloud service provider to meet the government's demanding IT security standards.
Even experienced vendors are struggling with the extraordinary amount and level of security controls and documentation. Of the more than 80 cloud providers that have applied for FedRAMP certification, more than half aren't ready to go through the process, Kathy Conrad, a senior GSA official, stated recently.
At its foundation, FedRAMP builds on management and technical practices developed for federal agencies by NIST, whose recommendations are captured in a 457-page document (800-53 R4) and a companion guide (800-37).
"The power of the NIST framework is that it can be customized for specialized environments of operation or business situations," says NIST fellow Ron Ross, the framework's principal architect. FedRAMP officials took that template and filled in the blanks, specifying requirements for about 300 security controls common to most federal agencies, Ross says.
Agency CIOs, for example, must be able to demonstrate that their cloud service provider can describe and protect the boundaries of their systems, identify which devices are on those systems, identify how they're configured, and be able to physically and logically isolate their systems' software and hardware assets. Providers also must be able to perform continuous code scans and process electronic discovery requests, and if a high-risk incident occurs, be able to fix the problem within 30 days.
Those measures aren't new to federal agencies. What's new is CIOs trusting that a service approved at another agency will work for their own agency.
FedRAMP takes all the security requirements agencies had to follow for their conventional IT systems and "extends those controls specifically for cloud computing," says Melvin Greer, a chief strategist at Lockheed Martin. More important, "FedRAMP has codified security," Greer says. "It has detailed what we mean when we say cloud security." It also makes it easier for acquisition staffs to buy cloud services because "they can be assured services from FedRAMP-approved providers will meet all of their requirements."
Greer also believes third-party auditing will be a game changer. "We've seen innovation accelerate in the payment card industry" because providers have to adhere to common standards. "We think that's exactly what's going to happen with cloud computing."
JAB vs. agency authority
One decision prospective cloud providers will have to make is whether to seek FedRAMP authorization directly through an agency, or apply through the Joint Authorization Board. A JAB authorization is provisional, meaning that agencies can use it as a baseline and, if necessary, add their own security controls, as the Defense Department plans to do. But it has the benefit of having satisfied the scrutiny of DOD, DHS, GSA, and the agency that sponsored the cloud service review.
Which is better? "It depends on where you sit," says Frank Baitman, CIO at the Department of Health and Human Services. For a provider, "it's a little bit quicker to go through an agency. There's no difference in terms of the baseline requests," he says.
For AWS, which already had been working with HHS, the choice was clearer. "We really began with the customer and worked backward," says AWS's Carlson. "We don't feel there is a lot of difference between the agency and the JAB ATOs. The JAB is a force multiplier." But its approval is more theoretical. "With the agency, you're doing practical workloads," Carlson says.
Baitman estimates that at HHS it took 15 full-time employees and some contractors six months to complete the FedRAMP authorization process for infrastructure services provided by AWS.
He credits AWS for "making a significant investment in time and people to make the process work."
Since HHS got the AWS ATO done last May, more than a dozen agency programs have used or acquired a cloud service, Baitman says. He estimates that HHS has already saved $1 million in operating costs, but he says bigger savings are to come.
Baitman's advice to cloud service providers: "Come to the table, roll up your sleeves, and realize it's going to take a lot of effort and serious commitment on your part to make it happen."
Carlson sees a bigger lesson: "You will see a lot of acquisition contracts embrace Fed-RAMP. That will be a key driver. Cloud companies won't be able to participate in any procurement or award without being able to achieve the FedRAMP standards."
The ramp ahead
Despite the momentum, FedRAMP's Roat says the program still faces an uphill battle getting agencies -- and cloud service providers -- on board.
"I see [agency] business owners who are incredibly on board to move to the cloud, but their CIO shops are holding back," reluctant to give up parts of their IT operations, Roat says. "There's still a lot of education needed with the federal workforce" on how to securely integrate cloud computing. But she also sees how those efforts are paying off, pointing to the Interior Department, which authorized six cloud services within a week's review time, at half the usual cost, using FedRAMP-certified services.
Adds Dave McClure, the GSA associate administrator who oversees the FedRAMP office: "It takes a lot of culture busting." But considering what FedRAMP has accomplished over the past year, "the concept we created has proven itself out," he says.
GSA's Conrad says FedRAMP has accomplished something else. "The fact that we have more than two dozen third-party assessment organizations says we have created a new market," Conrad says. "We're driving a whole new business model for the cloud, not just for security."
Wyatt Kash, editor of InformationWeek Government, can be reached at [email protected]
Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters. Also in the The Great Email Migration issue of InformationWeek Government: Lessons from a successful government data site. (Free registration required.)
distributed in an all-digital format (registration required).