FedRAMP is close to becoming reality.
The initiative, spearheaded by the General Services Administration, will become operational in a limited capacity in June when organizers begin the full authorization process for an infrastructure-as-a-service cloud and cloud-based e-mail and collaboration software as a service, offerings that are a part of two GSA blanket purchase agreements.
GSA has been busy preparing for the launch. The agency in January announced a set of baseline security controls that government or public-cloud providers must meet to offer their cloud services to agencies, says Dave McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies.
In February, the GSA released two documents that detail the organizational structure and process to assess and authorize cloud services, says Matthew Goodrich, FedRAMP’s program manager at GSA.
First, it released a “concept of operations,” which is essentially a user’s guide, providing agencies and cloud service providers a set of instructions for getting their cloud services authorized. In late February, the GSA released the Joint Authorization Board charter, which outlines the governing body’s jobs and functions.
Here’s how FedRAMP will work: Cloud providers must implement FedRAMP’s security requirements and hire a third-party assessment organization to independently audit the cloud system and provide a security assessment package for review, Goodrich says. If an agency decides to use the cloud provider’s services via a contract, it can determine if the vendor’s FedRAMP baseline security assessment fully meets its security needs or request that some additional control testing be done to satisfy “unique” needs for its system’s security authorization.
The Joint Authorization Board — made up of the CIOs of the Defense and Homeland Security departments and GSA — reviews the packages and grants provisional authorizations. Once approved, individual agencies can leverage the core, baseline cloud-security assessment work already completed and certified by another agency, do any additional testing and certification necessary to meet its unique systems environment or needs, and then grant an authority to operate. Leveraging the work of others is the key ingredient to faster, less expensive and more consistent security authorizations of cloud services.
In late spring, the GSA is expected to announce an initial set of third-party assessment organizations that have been approved to assess cloud services for FedRAMP, McClure says.
“In the last six months or so, during this pre-launch phase, we’ve rolled out these deliverables like clockwork,” he says. “There are many pieces to this, and we have to get it in place before we go live, and we feel we are on target.”
When FedRAMP begins reviewing the first cloud services in June, the FedRAMP Program Management Office will examine how long the certification process takes and use the lessons learned to improve the process before it begins assessing other cloud services, McClure says.
FedRAMP is a work in progress and will be refined over the next two years, he says. During the second half of 2012, for example, GSA will update the concept of operations and continuous monitoring requirements. And once the National Institute of Standards and Technology (NIST) finalizes its 800-53 Revision 4 security publication, GSA will incorporate the new controls into FedRAMP.
By early 2013, the agency hopes to begin authorizing more cloud services, Goodrich says. “We will look at our initial performance benchmarks and see where we can make it more efficient, and as we move to the second quarter of fiscal year 2013, we will open up the pipeline wider and take on more reviews.”
By 2014, the initiative will become fully operational, with an electronic repository that will house all the FedRAMP data and manage its workflow.
“At the outset, we will use a manual process,” McClure explains. “But the vision is to create a secure data repository for workflow management to make the process more efficient and foster information sharing.”
In time, FedRAMP will live up to its promise of “do once, leverage many times,” and provide agencies with a large selection of secure cloud services to choose from, McClure says.
“The proposed cloud security review process is intended to be rigorous. We haven’t made it easy, but our goal is to be more efficient,” he says. “We want to make it consistent, so agencies have confidence and trust that the cloud services that do pass FedRAMP security standards are indeed secure.”
NIST’s initial foray into implementing cloud services internally is a prime example of why FedRAMP is necessary.
The agency has used the cloud to put low-impact data, such as news, photos and videos, on social networking websites. Now, it’s looking into adopting collaboration software and a cloud-based help-desk application, which are FISMA [Federal Information Security Management Act]-moderate, says John Connor, IT security specialist for NIST’s Office of Information Systems Management.
Today, the research process is manual. He contacts cloud providers to see if they’ve performed independent security assessments and built system security plans, which are all part of the government’s authorization process. “Some have already hired independent assessors and have written a system security plan, and they have a government agency that has already tested against them. And some haven’t done anything,” he says.
Connor also contacts other agencies to see if they’ve done assessment work that NIST can leverage. For example, the GSA recently migrated to cloud-based e-mail and collaboration software. When Connor contacted the GSA, the agency shared with him its vendor assessments.
“We are a moderate-sized agency, we have good assessment and authorization teams, but we are not a large agency and do not have the resources to assess them all ourselves.”
Connor looks forward to FedRAMP, so he can choose among a pool of vendors that have been approved. Once vendors are approved, NIST needs to perform an assessment and authorization process on only the 20 percent of security controls that are NIST-specific.
“Now, when I research cloud services, it’s through word of mouth, but FedRAMP will put it all in one place,” he says. “Ultimately, FedRAMP will be a great thing and save each agency time and money.”