The General Services Administration expects to finalize and release security standards for government cloud computing this fall.
The interagency effort, called the Federal Risk and Authorization Management Program, provides a uniform set of baseline security controls that government or commercial cloud providers must meet to offer services to agencies. It also outlines initial requirements for continuous monitoring of cloud services to safeguard data and includes a proposed governance model for the government to assess and authorize cloud services.
The goal of FedRAMP is to create a standard approach to certify that cloud providers meet Federal Information Security Management Act requirements, so they can provide cloud services to multiple agencies. The result is faster certification of cloud providers and cost savings because agencies don’t have to individually perform the certifications themselves, says Sanjeev Bhagowalia, who recently left GSA to become CIO for Hawaii.
Individual agencies in the past have had different interpretations of FISMA and the various security controls outlined by the National Institute for Standards and Technology. That has resulted in inconsistent approaches to certification, which often meant that it was not possible for other agencies to use the work, Bhagowalia says.
GSA released a draft FedRAMP security controls document last October. After fielding about 1,000 comments, small workgroups within government are incorporating suggestions and changes into the final document and program structure.
The initial release of FedRAMP is aimed at low- to moderate-impact cloud services. The government intends to look at high-impact cloud services in the next release.