The General Services Administration (GSA (News - Alert)) is in the midst of launching an ambitious program designed to accelerate the safe adoption of cloud services within the U.S. Government. That program, the Federal Risk and Authorization Management Program (FedRAMP), is a collaborative effort between the GSA, the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), and the Department of Defense (DOD). FedRAMP will ensure cloud service providers (CSP (News - Alert)) maintain adequate information security; reduce duplicated effort; decrease risk management costs; and streamline the procurement of cloud services.
Today, an agency using a cloud service would need that CSP to go through a Certification and Accreditation (C&A) process. Once the CSP makes it though this process, the head of an agency can issue an Authority to Operate (ATO) allowing that service to go into production. ATOs are agency specific, and other agencies rarely leverage another agency’s prior work. Imagine needing a separate driver’s license (ATO) for every state (agency) in which you wanted to drive. With each of these licenses (ATOs) costing an average of $150,000, these costs rapidly skyrocket.
FedRAMP means to change this process. Last January, FedRAMP published both the security controls that CSPs must address as well as the program description for the third party auditors (3PAO). In February, they released their Concept of Operations document. Under FedRAMP, a CSP can document how they will address the security controls, and a 3PAO will assess these controls. The output from both the CSP and the 3PAO are captured in a security assessment package for comparison against FedRAMP requirements. Finally, the Joint Advisory Board (JAB), consisting of CIOs from the GSA, DOD, and DHS, will review the package, and if the risks are deemed acceptable, they’ll issue a “provisional authorization.”
There are hard and fast rules that only heads of an agency can issue an ATO, and that hasn’t changed. What has changed is that agencies can now leverage the JAB issued provisional authorization and FedRAMP security assessment package as a baseline for granting their own agency-specific ATO. If an agency’s security objectives are captured in the FedRAMP package, then the agency can leverage the work already in place and issue their own ATO.
Some agencies might have security controls that aren’t part of the baseline, and that’s fine. When an agency needs additional controls, the agency can accept the FedRAMP baseline and only audit those additional controls. The key is that common controls within the security assessment package needn’t be re-assessed. This “do once, use many times” philosophy is at the heart of FedRAMP. Federal CIO Steven VanRoekel estimates that FedRAMP could save agencies between 30 percent and 40 percent on assessment and procurement processes. Even taking the low end of this estimate, that’s a $45,000 savings on what might be a $150,000 assessment. Scale this over hundreds of ATOs, and that’s millions in savings.
Ideally, a CSP will have already been vetted through FedRAMP. When a CSP hasn’t been through the program, an agency must still use the FedRAMP Program Management Office (PMO) process and the JAB-approved FedRAMP security assessment requirements. Once an agency completes the CSP’s assessment and grants an ATO, the agency submits the complete package with FedRAMP defined security requirements back to the FedRAMP PMO. This completed package can then be incorporated into the repository for use by other agencies.
In addition to creating a repository of approved CSPs with their corresponding security packages, FedRAMP will also provide much needed support to contracting officers (CO). Many COs struggle with the shift from hardware and software based acquisitions to service level based acquisitions. To assist COs, FedRAMP will be providing standard clauses for inclusion into contracts, Terms of Service (TOS) documents, and Service Level Agreements (SLA).
Again, GSA is still in the midst of setting up this program. FedRAMP is slated for initial operating capability by June 2012 with the program being fully ramped in 2014. Through the remainder of 2012, FedRAMP’s primary focus will be on working out the kinks in the system while putting a number of Infrastructure as a Service and email/collaboration CSPs through their paces. Overall, FedRAMP has the makings of a remarkable program in that it consolidates baseline security controls, procurement best practices, and shared learnings while potentially saving significant time, resources, and money.
David Blankenhorn is chief cloud technologist of DLT Solutions.
Edited by Carrie Schmelkin