The Federal Risk and Authorization Management Program (FedRAMP) late last month approved the first cloud-computing services company to pass a comprehensive security-review process
After a spate of tests and evaluations, the Joint Authorization Board certified Autonomic Resources, a small business based in North Carolina, to offer cloud services governmentwide.
But the company wasn’t the only one facing a big test. Dave McClure, the associate administrator in the General Services Administration’s Office of Citizen Services and Innovative Technologies, said the FedRAMP review process was also a proving ground for GSA.
“I think it’s a big deal because we’ve working on trying to set up a successful process to evaluate cloud security and the process has produced the first company through it,” McClure said in an interview on In Depth with Francis Rose. “That means that our operating model has been tested and that we’re capable of delivering a security assessment against a standard baseline set of controls for cloud computing.”
“What we want to accomplish with this program is leverage,” McClure said. “We want to stop the repetitive, redundant security evaluations processes of government and do it one time well and then leverage the use of that review many times across agencies trying to do the same implementation.”
Currently, there are about 78 cloud companies or products in the FedRAMP-review pipeline McClure said.
So far, feedback from vendors has been positive. But the companies realize the process is not a cakewalk.
“Making services compliant with federal guidelines is not a simple task,” McClure said. “And we are dealing with cloud computing — a new area of computing for security. “And we’re learning lessons as we go along. And I think that’s been somewhat of the news for industry: The process is rigorous, it takes a great deal of evidence to display that you can actually meet the criteria and the controls.”
“We wanted to kick the tires on the process and make sure that we could learn and constantly improve this program so that when it becomes fully operational that it’s as efficient as it can be,” he said.
But he said as FedRAMP gears up for a full launch later this year, “You will see, I think, a steady rollout of cloud services under the FedRAMP model.”
Overall, the time it takes an offering to make it through the pipeline is dependent on a number of variables, McClure said, such as the complexity of the cloud solution itself.
“If you’re doing hosting services as part of infrastructure-as-a-service, that’s quite different from providing software-as-a-service vs. a platform service,” he said.
McClure acknowledged that the time it has taken the initial set of companies to go through the process has been longer than initially planned, but that is a testament to the rigorous nature of the process, he added.
“These (offerings) are being approved for governmentwide use,” he said. “The last thing we want to do is to cut any corners on whether the provider has met any of the certification and accreditation process that we have put in place for cloud-computing solutions.”