FISMA Report Identifies Gaps in Federal Cloud Security
Federal agencies are increasingly dependent on private companies that own or operate information systems on their behalf, through cloud computing agreements and other arrangements.
But some agencies are falling short when it comes to ensuring that all systems used to process and store government data, including systems that reside in the cloud, meet federal requirements. A number of agencies have programs to manage contractor systems, but the programs are lacking in at least one area, according to the 2014 Federal Information Security Management Act (FISMA) report to Congress, which was publicly released late last month.
Of the 17 inspector generals who reported that their departments have programs in place to manage contractor systems, only eight IGs said those programs had all the required elements, the report found. The departments were not identified, but the remaining nine IGs said their programs were lacking in at least one of the following areas, as the report states:
• The department did not obtain sufficient assurance that security controls of such systems and services were effectively implemented and complied with federal and organization guidelines (four departments).
• The department did not have a complete inventory of systems operated on the organization’s behalf by contractors or other entities, including organization systems and services residing in a public cloud (three departments).
• The department had contractor owned or operated systems, some residing in a public cloud, that were not compliant with FISMA requirements, OMB [Office of Management and Budget] policy, and applicable NIST [National Institute of Standards and Technology] guidelines (six departments).
NIST standards are the foundation for the government’s Federal Risk and Authorization Management Program (FedRAMP). The program standardizes security assessment, authorization and continuous monitoring of cloud solutions used in the government.
The report also noted that some departments are “not capable of tracking and managing risks in a virtual/cloud environment." But there is an element of the FedRAMP process that addresses this issue. Continuous monitoring begins after a cloud service is authorized under FedRAMP. The term “continuous monitoring” can be hard to understand in the context of FedRAMP because the government isn’t watching everything that goes on in the cloud, program officials have said.
Vendors have to perform vulnerability scans monthly and remediate within 30 days any findings that are deemed high vulnerabilities. Some security reporting used to be done quarterly. FedRAMP officials said the change will better align the program with the Department of Homeland Security’s continuous monitoring program.
"Agencies have reported a total of 81 systems as being FedRAMP compliant,” according to the report. Twenty-six agencies have reported using FedRAMP provisional authority to operate packages. These documentation packages verify that a cloud solution meets FedRAMP standards. Agencies review that body of work before granting vendors a final authority to operate.
It isn’t clear how many systems are required to meet FedRAMP standards, but one of the program office’s top priorities this year is increasing stakeholder engagement, including the number of agencies implementing FedRAMP. Cloud computing and other provisioned services account for about 8.5 percent of the government’s IT spending today, according to the president’s fiscal 2016 budget proposal.
Other FedRAMP goals include improving program efficiencies, by automating FedRAMP documentation, and adapting FedRAMP to support evolving cloud offerings and security policies.
To learn more about how cloud computing solutions can help your organization get ahead, visit cdw.com/cloud.
