Cloud Providers Align With FedRAMP Security Standards - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity

Cloud Providers Align With FedRAMP Security Standards

Federal Risk and Authorization Management Program (FedRAMP), the government effort to hasten agencies' cloud adoption, has changed the way the cloud computing industry thinks about security.

Download the entire February 2014 InformationWeek Government issue, distributed in an all-digital format (registration required).

A two-year-old government program created to spur cloud computing adoption by federal agencies is changing the way commercial cloud service providers, from Amazon to Microsoft, think about cloud security standards. The program, known as the Federal Risk and Authorization Management Program (FedRAMP), is also changing the playing field for service providers competing for the government's business and has attracted the attention of banks and other major private-sector companies.

FedRAMP began as a way to streamline the duplicative and time-consuming work every federal agency must perform in assessing the security risks associated with using cloud-computing systems. Convinced in early 2011 that cloud computing could reduce federal IT operating and capital investment costs significantly, White House and federal IT officials needed a way to fast-track the certification process.

By establishing a common set of security controls and an independent verification system, FedRAMP enabled agencies for the first time to acquire a cloud service authorized by another federal agency without having to duplicate the entire security authorization process.

Now managed by the General Services Administration, FedRAMP has gained traction over the past year, as all federal agencies race to meet a June 2014 deadline to have their cloud services FedRAMP-certified.

Eleven vendors -- including Akamai, Amazon Web Services, AT&T, Hewlett-Packard, IBM, Lockheed Martin, and Microsoft -- are now authorized to operate cloud services for all or some federal agencies. A dozen more services are moving through the application process and more are in the pipeline, says FedRAMP director Maria Roat.

[Want more on the security of cloud services? Read Cloud Gazing: 3 Security Trends To Watch.]

Additionally, 27 third-party assessment organizations (and more are lining up) are approved to verify that a given cloud service satisfies, and continues to meet, a rigorous set of management controls and security standards legally required by federal agencies.

Cloud infrastructure services dominate the list of FedRAMP-approved services. Microsoft's Windows Azure is the only platform-as-a-service in the FedRAMP lineup. Late last month, Concurrent Technologies' virtual desktop management service became the first software-as-a-service to receive FedRAMP provisional approval. Fed-RAMP officials recognize they need to expand the range of available services to continue attracting agency participation.

FedRAMP has not only caught the attention of government agencies, but also private sector cloud service buyers. In the seven months since AWS received FedRAMP authority to operate a pair of cloud infrastructure services for the Department of Health and Human Services, 268 federal and state agencies have asked to review the vendor's FedRAMP authorization packages, says Teresa Carlson, Amazon Web Services' worldwide public sector VP. But it's the level of commercial sector interest in FedRAMP that surprised Carlson and AWS's director of risk and compliance, Chad Woolf.

"We've disclosed a summary of the controls we have for FedRAMP to some major banks. They were blown away by the comprehensive nature of the FedRAMP program," Woolf says. AWS has since assembled a package of documents for its commercial customers detailing what FedRAMP is all about.

Microsoft federal sector CTO Susie Adams has also seen a spike in interest. "As soon as we announced we had our [FedRAMP authority to operate], our phones were ringing off the hook," she says. The inquiries have come from Microsoft's developer partners and from governments and companies internationally. "State and local governments are starting to align their security requests with the FedRAMP standards," Adams says. "FedRAMP isn't widely adopted yet, but it is getting legs."

Defense Department CIO Teri Takai also senses FedRAMP's impact on the cloud computing market, and its potential to become more than just a government certification program. Takai, together with CIOs from the Department of Homeland Security and the General Services Administration, and their technical support teams, serve on Fed-RAMP's Joint Authorization Board, which reviews the independent assessments and decides whether cloud services can deliver on the government's stringent IT security standards. Vendors also have the option of earning FedRAMP authorization through a single agency, as Amazon did with HHS.

"FedRAMP in many ways is having a strong influence, and will have a strong influence, on the industry," Takai said in an exclusive interview with InformationWeek. "We are starting to see we're shaping how the industry looks at their security controls, in ways they can use to sell to the commercial industry. That was not something that I had the foresight to see," she says. FedRAMP officials also hadn't anticipated the need to create a FedRAMP branding guide for companies that want to advertise their certified services, she says.

Change the status quo
After two years of piloting and evaluating cloud technology, federal agencies awarded more than $17 billion in cloud-related contracts in the fiscal year that ended on Sept. 30, says Deltek analyst Alex Rossino. That activity stems from a number of factors: federal IT mandates, pressure to cut costs, as well as the June deadline to meet FedRAMP security standards.

With federal agencies spending more than $80 billion annually on IT products and services, the shift to the cloud -- and to a new generation of providers -- is shaking up the industry status quo. IBM learned that the hard way last year when it lost a $600 million CIA cloud infrastructure contract to AWS.

Tom McAndrew, executive VP of Coalfire Systems, one of the leading third-party assessors accredited by FedRAMP, notes that federal contractors used to make money creating security controls. But agencies are now "throwing those out" in favor of more common standards, McAndrew says. Cloud service providers have been building systems using security standards established in the payment card industry or by the National Institute of Standards and Technology (NIST). "What we've seen in the last year [is that] nearly every cloud service provider is building foundational security controls to [align] with FedRAMP baseline standards. That's huge," he says. "We've never seen that before. It's a massive transformational shift that's impacting the cloud industry."

FedRAMP will have particular application in the healthcare, education, and finance industries, where security is critical, McAndrew predicts. IT vendors catering to those sectors will "recognize there's an offensive opportunity" to becoming FedRAMP-certified, he says. Coalfire, meanwhile, doubled its workforce last year, to roughly 200 employees, and expects to "double or triple in size next year," says McAndrew, to keep up with demand for cloud security verification.

Hard road to FedRAMP certification
For cloud service providers, meeting Fed-RAMP's rigorous authorization requirements is "an egregious process, but it was meant to be," says John Keese, CEO of Autonomic Resources, the first cloud infrastructure provider to gain FedRAMP approval and the first to be reaccredited one year later. "It's not a once-and-done process," he says.

It can take providers six to nine months to put the needed management disciplines and technical controls in place. Then begins the continuous monitoring, reporting, and remediation work that FedRAMP requires. For vendors unused to working in the government IT environment, the cost of entry is stiff. Keese estimates it would take between $25 million and $35 million in engineering and staffing costs for a commercial cloud service provider to meet the government's demanding IT security standards.

Even experienced vendors are struggling with the extraordinary amount and level of security controls and documentation. Of the more than 80 cloud providers that have applied for FedRAMP certification, more than half aren't ready to go through the process, Kathy Conrad, a senior GSA official, stated recently.


We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
1/27/2014 | 4:15:02 PM
ABC7 News Program Takes Notice of FedRAMP story
Those who follow FedRAMP may be interested to note, Washington's ABC7 TV news program, Government Matters, featured a segment, based on this report, on this past Sunday's program.  Here's a link to the program:

User Rank: Author
1/23/2014 | 9:02:45 PM
Re: Standards are great but don't forget about evolving risk
Affine, you make a fair point about the limits of using standards in an evolving cyber world. But FedRAMP isn't just about meeting a securitiy checklist, its also about assessing the risk posture of a system and being prepared for the risks. That's why they call it the Federal Risk and Authorization Management Program, not just the Federal Security and Authorization Management Program.
User Rank: Author
1/21/2014 | 1:50:26 PM
Re: See Teresa Takai's take on JAB vs Agency ATO
Thanks for raising issue regarding JAB vs agency authorization and its scope.  When the JAB gives a cloud service "Provisional Authority to Operate" it has satisfied the CIO offices at DOD, DHS and GSA, as opposed to a single agency. some would say that carries more weight. But the the FedRAMP authoriztion by an agency, as HHS did with Amazone Web Services, satisfies the same requirements.

Of equal importance, and thanks for raising this also, FedRAMP authoritiy lapplies to a specific service.  AWS, for instance has more than three dozen cloud services across multiple regions. What HHS appoved was two infrastructure services that specifically meet HHS' requirements.  Other agencies can now build on those services, but that does not mean other AWS services share the FedRAMP seal of approval.

InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll