Jul 21 2014

Agencies Move Past the FedRAMP Deadline

With a key milestone under its belt, the government’s cloud program is all systems go for widespread adoption.

The days of agencies blazing their own trails through secure cloud deployments are over, in theory at least. As of early June, cloud service providers that want to do business with the government should be in compliance with the Federal Risk and Authorization Management Program, an initiative to assess the security of cloud solutions and authorize them for government use. And at this point, agencies looking to realize the benefits of cloud computing should be using FedRAMP-authorized providers.

In other words, if your agency needs a cloud provider to host some of its IT resources, it’s time to use FedRAMP as your one-stop shop for approved services.

“The reality is that while there may be an agency here or there that doesn’t comply, the vast majority of agencies have been working closely with FedRAMP and wouldn’t think of using a provider that wasn’t authorized by the FedRAMP program management office,” says Christopher Bollerer, director of security governance, risk management and compliance at the Health and Human Services Department.

Credit: Gary Landsman

Christopher Bollerer, director of security governance, risk management and compliance at the Health and Human Services Department

Agencies throughout HHS, including the Food and Drug Administration and National Institutes of Health, are now using Infrastructure as a Service and other cloud-based solutions under a special FedRAMP authorization sponsored by HHS. They’re also using cloud services authorized by FedRAMP’s own Joint Authorization Board.

“I think we’ll find that federal agencies will adopt the FedRAMP standards because they are a good security practice and it gives agencies the opportunity to deploy new computing capabilities much faster,” says Keith Trippie, former executive director for the Homeland Security Department’s Enterprise System Development Office and current CEO of The Trippie Group. “The ultimate goal should be better cybersecurity through risk management, and FedRAMP is a good step in the right direction.”

FedRAMP Offers Two Paths to the Cloud

Under direction from the Office of Management and Budget, the General Services Administration started FedRAMP as a centralized way of vetting cloud services so agencies wouldn’t have to do it themselves every time they wanted to deploy a cloud solution. Service providers get clearance from FedRAMP in one of two ways, each under the scrutiny of an approved third-party assessor: either through the FedRAMP Joint Authorization Board or through an agency sponsorship.

In the latter case, the agency, such as HHS, evaluates the cloud provider based on FedRAMP templates and requirements. When an agency authorizes a cloud service, it can tweak the required security standards based on its own environment and risk tolerance.

Therefore, any other agency that wants to utilize that provider’s cloud service should understand how the sponsoring agency’s profile matches theirs.

“We benefit by not having to re­invent the wheel to leverage the cloud,” Bollerer says of the overall system. “The cloud service providers authorized by the Joint Authorization Board have done 85 to 95 percent of the work for us. And in the same way, by doing an agency sponsorship, we are trying to reciprocate by doing the lion’s share of the work on another contract, for example.”

Trippie says the FedRAMP model saves industry time and effort in the authorization process. As a result, providers can keep costs competitive and accelerate time to market for desired cloud services. On the agency side, IT departments can migrate off old platforms faster and save money on cybersecurity costs because the authorization process takes place only once.

“As people began to look at cloud services, we started to realize that there has to be a more efficient way to procure these services,” Trippie says. “On the cloud service provider side, it really made no sense for them to update all their documentation on a specific service every time they wanted to do business with a federal agency. Why not just authorize them one time through FedRAMP?”

When the June deadline passed, FedRAMP had authorized 12 cloud services from 11 different providers. Six cloud services from four providers had received agency authorizations.

All that’s left now is for agencies to adopt FedRAMP-certified cloud services.

SEC Moves Applications to the Cloud

The Securities and Exchange Commission already has shifted a number of key applications to FedRAMP-certified providers, a move that Deputy CIO Pamela Dyson says has already yielded benefits.

“We reduced our time to provision new applications,” Dyson says. “Plus, we have lower support costs and much less administrative overhead.”

Credit: Jonathan Timmes

Pamela Dyson, deputy CIO at the Securities and Exchange Commission.

The SEC now uses a FedRAMP-compliant cloud to host its Electronic Data Gathering, Analysis and Retrieval (EDGAR) system, which lets web users search the filings and financial statements of public companies. In addition, the agency now uses a different FedRAMP-authorized cloud for Internet bandwidth.

That said, Dyson acknowledges that FedRAMP and the June deadline don’t necessarily signal a rush on cloud services for all government applications. For example, she says, although the SEC has moved EDGAR and other nonsensitive public information (such as the Market Information Data Analytics System) to the cloud, it plans to take its time with other applications.

“Storage will probably be more of a hybrid cloud, and for now, we will run our internal analytics system at headquarters,” she says.

Continuous Monitoring for Cloud Providers

Of course, this is technology, and with technology, nothing stays the same for long. Also in June, soon after the FedRAMP deadline, the program management office released a new security baseline that cloud services now must meet.

FedRAMP Director Maria Roat says the program is evolving from a security posture based on compliance with regulations, to security based on risk management and continuous monitoring.

The change is in response to revision 4 of the National Institute of Standards and Technology’s Special Publication 800-53, which includes about 140 new security controls, including several for continuous monitoring, mobility, risk management and cloud-specific threats. All FedRAMP-certified providers must scan their systems, databases and web applications monthly and submit the results to the FedRAMP program office. High-risk vulnerabilities must be remediated in 30 days, and the cloud service provider must document that it is continuously patching known vulnerabilities.

“For example, when the Heartbleed bug broke out or flaws were discovered within Internet Explorer, we worked very closely with the providers to ensure that they were applying the patches,” Roat says. “Most of the time after a major incident such as Heartbleed, they are already working on the patches anyway.”

DOD and the Cloud

The moderate security profile authorized by FedRAMP applies mostly to civilian agencies. For example, Bollerer says the FedRAMP security controls are adequate for the majority of information that HHS and its operating divisions maintain.


The percentage of federal IT managers who say their agencies are either fully deployed or partially deployed with cloud services; another 28% say they are planning to adopt the cloud, and 23% are considering cloud services

SOURCE: “Show Me the Money: The Key to Doubling Agency Savings” (MeriTalk, April 2014)

But Roat says her office has been working closely with the Defense Information Systems Agency to develop a stronger cloud security standard for Defense Department agencies. DISA meets with the FedRAMP board to perform security assessments on cloud service providers and to consider strategies for requiring a higher level of security governmentwide in cloud services.

Gordon Bass, chief of the certification and assessment branch for DISA Field Security Operations, says the agency has developed the Cloud Security Model for providers that host DOD data, up to and including “secret” data. The Cloud Security Model is for DOD agencies only.

“DOD has data that requires various security levels,” Bass says. “The goal is to match the data with the required security level at the right cost.”

Roat reminds agencies that FedRAMP is a baseline for cloud security. DISA and DOD, for example, specified additional controls.

“If an agency wants to leverage a cloud service provider’s [FedRAMP authorization], but has two additional controls it requires, the agency can work directly with the provider to add those two controls,” Roat says. “The benefit to the agency is that all the prior controls have been reviewed and assessed, so the agency only has to do the work for those two added controls.”

Emery Csulak, deputy chief information security officer at the Department of Homeland Security, says agencies can now move forward with cloud deployments knowing that the service providers authorized by the FedRAMP Joint Authorization Boards meet the lion’s share of their security requirements.

“We’ve got people on the board who really know what they’re looking at when it comes to cloud security,” he says. “We’ve been authorizing private cloud applications well before FedRAMP. I think the agencies can learn from our experiences and use the structure and templates that FedRAMP has set up. In the end, we’re trying to make their lives easier.”

For more information about FedRAMP changes, read our article on FedRAMP 2.0. You can find a list of the FedRAMP-compliant services here.

To learn more about CDW cloud solutions, go to CDW.com/cloud.