How FedRAMP Lifts All Cloud Ships - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cloud computing
11:19 AM
Wyatt Kash
Wyatt Kash
Connect Directly

How FedRAMP Lifts All Cloud Ships

FedRAMP's role in making cloud services more secure also helps agencies offset some of the complexity of their IT operations, says NIST's Ron Ross.

If you spend any time listening to what government IT executives are talking about in Washington these days -- besides the NSA's data-collection practices and what everyone should have learned from -- it's hard to ignore at least some discussion about secure cloud computing and a federal program called FedRAMP.

Talk to IT executives outside of Washington, however, and it's evident that discussions about FedRAMP  and its impact on cloud service providers are reaching far beyond the Beltway and rippling through the boardrooms of IT services providers. As Amazon Web Services VP Teresa Carlson said in a recent interview: "Cloud companies won't be able to participate in any [government] procurement or award without being able to achieve the FedRAMP standards."

For those new to the discussion, FedRAMP is a program cooked up by a group of savvy bureaucrats who grasped the potential of cloud computing, but also understood that, without help in overcoming the government's own red tape, federal agencies faced a long road to cloud adoption. The reason stems from the fact that every federal agency must assess and certify the security risks of its IT systems. Cloud computing added a new layer of complexity to the government's security requirements and procurement contracts.

[Read why Defense department CIO Teri Takai believes FedRAMP helps everyone in the cloud computing industry.]

How FedRAMP -- the Federal Risk Authorization and Management Program -- succeeded in greasing the policy skids for agencies and creating a set of baseline security standards now gaining attention from cloud computing providers, and even some of their commercial customers, is the subject of an InformationWeek Government special report released this week.

Ron Ross, one of FedRAMP's architects from the National Institute of Standards and Technology, believes FedRAMP is important to agencies and cloud computing service providers for a couple of reasons.

NIST's Ron Ross.
(Source: NIST)
NIST's Ron Ross.
(Source: NIST)

"It sets very clear expectations on what security controls are needed" to minimize an enterprise's IT security risks, Ross says. He points to FedRAMP's insistence on third-party assessment organizations to "validate that cloud service providers have implemented those controls. That's good for industry and it's good for federal agencies," he says.

Ross also sees a greater good in the way FedRAMP helps support cloud computing and offsets IT complexity. "The more we can address our complexity problem by moving as much IT as is appropriate to the cloud, the more that frees up our remaining resources. That's an important part of the equation in trying to lock down our critical infrastructure," he argues.

While federal agencies placed down payments on $17 billion worth of cloud computing projects this past fiscal year, FedRAMP officials know they must do more to attract a wider range of cloud services -- and to persuade agencies to use FedRAMP-certified services. 

More also needs to be done to educate federal officials about the potential savings and false promises that come with cloud computing. That's one reason behind the announcement, made last week, by Congressmen Darrell Issa (R-Calif.) and Gerry Connolly (D-Va.) that they and a group of industry supporters had agreed to launch the Cloud Computing Caucus Advisory Group, which they hope will enlighten the discussion on cloud computing.

But this much is clear: FedRAMP is a program more people will be talking about, and not just in Washington.

Wyatt Kash is editor of InformationWeek Government. 

Metrics, data classification, governance, compliance -- and your vendors -- are all part of the risk management equation. Find out more on this Dark Reading report, The Risky Business Of Managing Risk. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
1/22/2014 | 7:07:39 PM
Re: You never know where enlightenment might come from
It's interesting, one's a Republican, the other a Democrat.  Connolly says he agrees on practically nothing that Issa stands for -- except managing IT better in government.  Issa comes from the tech sector; Connolly's VA district probably has more tech companies than any other Congressional district.  They've joined forces in part to support a couple pieces of IT reform legislation.

There have been -- and still are -- a few enlightened legislators in Congress. Former VA Rep. Tom Davis and Del. Sen. Tom Carper come to mind.  But on the whole, cloud computing is still a mystery for a lot of folks on the Hill. 
User Rank: Strategist
1/22/2014 | 2:38:41 PM
You never know where enlightenment might come from
Two Congressman form the Cloud Computing Caucus Advisory Group to enlighten federal agencies on cloud use. Maybe cloud advocates should form the Sequester Budgeting Caucus Advisory Group to enlighten Congress.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll