Cloud Providers Align With FedRAMP Security Standards - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity

Cloud Providers Align With FedRAMP Security Standards

Federal Risk and Authorization Management Program (FedRAMP), the government effort to hasten agencies' cloud adoption, has changed the way the cloud computing industry thinks about security.

At its foundation, FedRAMP builds on management and technical practices developed for federal agencies by NIST, whose recommendations are captured in a 457-page document (800-53 R4) and a companion guide (800-37). 

"The power of the NIST framework is that it can be customized for specialized environments of operation or business situations," says NIST fellow Ron Ross, the framework's principal architect. FedRAMP officials took that template and filled in the blanks, specifying requirements for about 300 security controls common to most federal agencies, Ross says.

Agency CIOs, for example, must be able to demonstrate that their cloud service provider can describe and protect the boundaries of their systems, identify which devices are on those systems, identify how they're configured, and be able to physically and logically isolate their systems' software and hardware assets. Providers also must be able to perform continuous code scans and process electronic discovery requests, and if a high-risk incident occurs, be able to fix the problem within 30 days.

Those measures aren't new to federal agencies. What's new is CIOs trusting that a service approved at another agency will work for their own agency.

FedRAMP takes all the security requirements agencies had to follow for their conventional IT systems and "extends those controls specifically for cloud computing," says Melvin Greer, a chief strategist at Lockheed Martin. More important, "FedRAMP has codified security," Greer says. "It has detailed what we mean when we say cloud security." It also makes it easier for acquisition staffs to buy cloud services because "they can be assured services from FedRAMP-approved providers will meet all of their requirements."

Greer also believes third-party auditing will be a game changer. "We've seen innovation accelerate in the payment card industry" because providers have to adhere to common standards. "We think that's exactly what's going to happen with cloud computing."

JAB vs. agency authority
One decision prospective cloud providers will have to make is whether to seek FedRAMP authorization directly through an agency, or apply through the Joint Authorization Board. A JAB authorization is provisional, meaning that agencies can use it as a baseline and, if necessary, add their own security controls, as the Defense Department plans to do. But it has the benefit of having satisfied the scrutiny of DOD, DHS, GSA, and the agency that sponsored the cloud service review.

Which is better? "It depends on where you sit," says Frank Baitman, CIO at the Department of Health and Human Services. For a provider, "it's a little bit quicker to go through an agency. There's no difference in terms of the baseline requests," he says.

For AWS, which already had been working with HHS, the choice was clearer. "We really began with the customer and worked backward," says AWS's Carlson. "We don't feel there is a lot of difference between the agency and the JAB ATOs. The JAB is a force multiplier." But its approval is more theoretical. "With the agency, you're doing practical workloads," Carlson says.

Baitman estimates that at HHS it took 15 full-time employees and some contractors six months to complete the FedRAMP authorization process for infrastructure services provided by AWS.

He credits AWS for "making a significant investment in time and people to make the process work."

Since HHS got the AWS ATO done last May, more than a dozen agency programs have used or acquired a cloud service, Baitman says. He estimates that HHS has already saved $1 million in operating costs, but he says bigger savings are to come.

Baitman's advice to cloud service providers: "Come to the table, roll up your sleeves, and realize it's going to take a lot of effort and serious commitment on your part to make it happen."

Carlson sees a bigger lesson: "You will see a lot of acquisition contracts embrace Fed-RAMP. That will be a key driver. Cloud companies won't be able to participate in any procurement or award without being able to achieve the FedRAMP standards."

The ramp ahead
Despite the momentum, FedRAMP's Roat says the program still faces an uphill battle getting agencies -- and cloud service providers -- on board.

"I see [agency] business owners who are incredibly on board to move to the cloud, but their CIO shops are holding back," reluctant to give up parts of their IT operations, Roat says. "There's still a lot of education needed with the federal workforce" on how to securely integrate cloud computing. But she also sees how those efforts are paying off, pointing to the Interior Department, which authorized six cloud services within a week's review time, at half the usual cost, using FedRAMP-certified services.

Adds Dave McClure, the GSA associate administrator who oversees the FedRAMP office: "It takes a lot of culture busting." But considering what FedRAMP has accomplished over the past year, "the concept we created has proven itself out," he says.

GSA's Conrad says FedRAMP has accomplished something else. "The fact that we have more than two dozen third-party assessment organizations says we have created a new market," Conrad says. "We're driving a whole new business model for the cloud, not just for security."

Wyatt Kash, editor of InformationWeek Government, can be reached at [email protected]

Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters. Also in the The Great Email Migration issue of InformationWeek Government: Lessons from a successful government data site. (Free registration required.)

Download the entire February 2014 InformationWeek Government issue,
distributed in an all-digital format (registration required).

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
1/27/2014 | 4:15:02 PM
ABC7 News Program Takes Notice of FedRAMP story
Those who follow FedRAMP may be interested to note, Washington's ABC7 TV news program, Government Matters, featured a segment, based on this report, on this past Sunday's program.  Here's a link to the program:

User Rank: Author
1/23/2014 | 9:02:45 PM
Re: Standards are great but don't forget about evolving risk
Affine, you make a fair point about the limits of using standards in an evolving cyber world. But FedRAMP isn't just about meeting a securitiy checklist, its also about assessing the risk posture of a system and being prepared for the risks. That's why they call it the Federal Risk and Authorization Management Program, not just the Federal Security and Authorization Management Program.
User Rank: Apprentice
1/22/2014 | 12:26:30 PM
Standards are great but don't forget about evolving risk
The more we can get to a standards based security program, the easier for organizations to improve their security posture.  The risk that most organizations need to avoid is assuming that meeting the standards means they don't need to do anything thing else for security and IT risk.  This is an evolving landscape and NIST, PCI nor any other standard will ever keep up with the attackers will and desire to find new avenues for getting to the data and information that they want.  A strong security program that leverages a standard as a baseline but includes a strong risk analysis program that monitors and responds to the threat landscape is critical in the current environment we do are doing business in.
User Rank: Strategist
1/22/2014 | 7:20:17 AM
Managing Cloud Risks With Service Organization Controls
Great to see FEDRAMP accelerating cloud adoption rates however with the current state of cloud security in general this will at times fall short in ensuring an absolutely secure computing environment, bespoke security for cloud based apps is still the way forward along with using compliance standards such as SOC to manage security. I work for McGladrey and there's a whitepaper on the website that aligns well with this article that was created on this subject, readers will be interested in it. @ "Managing cloud risks with service organization controls"
User Rank: Apprentice
1/21/2014 | 2:55:09 PM
No doubt that "foundational security controls" built on a common standard are catching fire.
As a member of a leading 3PAO, I am excited to see this transformation as it occurs. What is equally impressive, is that organizations are not opting for a "lesser" standard, but instead, are adopting a standard that is challenging from the planning phase through continuous operation.
User Rank: Author
1/21/2014 | 1:50:26 PM
Re: See Teresa Takai's take on JAB vs Agency ATO
Thanks for raising issue regarding JAB vs agency authorization and its scope.  When the JAB gives a cloud service "Provisional Authority to Operate" it has satisfied the CIO offices at DOD, DHS and GSA, as opposed to a single agency. some would say that carries more weight. But the the FedRAMP authoriztion by an agency, as HHS did with Amazone Web Services, satisfies the same requirements.

Of equal importance, and thanks for raising this also, FedRAMP authoritiy lapplies to a specific service.  AWS, for instance has more than three dozen cloud services across multiple regions. What HHS appoved was two infrastructure services that specifically meet HHS' requirements.  Other agencies can now build on those services, but that does not mean other AWS services share the FedRAMP seal of approval.

User Rank: Apprentice
1/21/2014 | 10:33:50 AM
See Teresa Takai's take on JAB vs Agency ATO
The JAB vs Agency ATO difference isn't a debate. See quote from DoD CIO Takai to may help the deflections that occur about difference. Its not theoretical as some say, it is however rigourous.


"Cloud service providers can still receive direct operating authority from an individual federal agency, as Amazon Web Services did last May from the Department of Health and Human Services. But approval by FedRAMP's Joint Authorization Board, on which Takai sits, offers an added badge of authority that a cloud service conforms to a baseline of security standards that, subject to provisional review, will satisfy the demands of most federal agencies."


Beware / watch presentations made by CSP's, if one particular offering is FedRAMP accredited it does not "peanut butter" across all the CSP's offerings. Sat in many of presentations that one would assume the all the product offerings a CSP has; are accredited because one of the services has had an Agency ATO.
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Flash Poll