Agencies are facing a June deadline to use only cloud computing services that meet governmentwide cybersecurity requirements.
Under the Federal Risk Authorization and Management Program (FedRAMP), the General Services Administration and the Homeland Security and Defense departments have led the 20-month effort to set a security baseline and a process to approve vendors.
The Office of Management and Budget will get a chance on Friday to see just how well agencies are doing toward the June deadline.
OMB set the timetable for agencies to use only cloud services approved by FedRAMP in a December 2011 memo.
Through the PortfolioStat effort, agencies are submitting new data that will highlight their progress.
“With the PortfolioStat, there were initially six questions related to cloud. With this most recent quarter of PortfolioStat, we were able to add a seventh question: Who is your FedRAMP point of contact?” said Maria Roat, GSA’s director of FedRAMP, after she moderated a panel on FedRAMP Thursday sponsored by Cloud Computing Caucus Advisory Group in Washington. “What we learned is that the person doing the reporting for PortfolioStat is not necessarily from the CIO’s shop, and they weren’t always talking. We could tell from the data that was coming in, because there was information from some agencies and components that wasn’t reported in PortfolioStat, and there were things reported in there that we didn’t know about either.”
Roat said FedRAMP’s program management office looked at the data and is going back to OMB with details of agency efforts. She said with a FedRAMP point of contact, her office can ask for even more specific details to find out what they are working on.
“Right now, we don’t have a broad insight into what the agencies are doing. When they tell us, great, but we don’t use that mechanism to see that,” she said. “I think some of the cloud providers know better than we do what’s going on and what the agencies are working on.”
More transparency about vendors
It’s unclear what will happen if agencies are not using FedRAMP approved cloud services as of June. Roat said that is up to OMB to decide.
But she said if her office or an agency can tell OMB that the vendor’s services are in the queue to receive FedRAMP approval and it’s expected later this summer, that may be good enough progress.
One major change under the FedRAMP program that should help with the June deadline is the program management office released publicly the names of vendors going through the approval process.
Roat said a few weeks ago the program management office posted the list of who’s in the approval process so agencies don’t have to ask about specific vendors.
“Initially, with who is in the readiness process going through this, there was a lot of reluctance in industry. They didn’t want their name out there because FedRAMP was new and shiny, and it wasn’t proven successful yet,” she said. “Before we did this, we did reach out to all these cloud providers, and the Joint Authorization Board approved it.”
One industry executive, who requested anonymity, said making the vendors go through the FedRAMP process publicly is a good thing.
“Moving toward the June deadline and as agencies look to fulfill cloud needs, they need to know who’s in the pipeline,” the official said. “No one has been shy recently about saying they are in the approval process.”
The source said initially there was some concern that the first vendors who received approval would have an advantage over those who didn’t. But the official said that concern hasn’t played out.
“Part of it is if you get names out there, it lowers the playing field,” the source said.
Currently the Joint Authorization Board (JAB), made up of the chief information officers of GSA, DoD and DHS, approved 10 companies and the Agriculture Department, eight of which offer infrastructure-as-a-service.
Fourth added to the JAB
FedRAMP also recently expanded the JAB to include the Defense Information Systems Agency along with the DoD CIO.
Roat said Teri Takai, the DoD CIO, requested the JAB include DISA’s security personnel as part of the review process. DISA is serving as the cloud broker for DoD under the Pentagon’s cloud computing strategy from July 2012.
“When the packages are being reviewed, it has DISA’s viewpoint on it,” she said. “So then when one of the vendors comes through, DISA has already seen the package, and they know exactly what’s in it, and they don’t have to do the work twice. DISA is learning how to get that federal view, but they also are having input on what they need and a heads up on reviewing packages. I think it’s beneficial all the way around.”
Vendors have three paths to achieve FedRAMP certification. Over the last two years, most have either gone through the JAB or received approval by a specific agency. But Roat said the third path is starting to gain some momentum, especially from small businesses.
She said the third way, called a cloud service provider supplied authorization, always has been in the concept of operations and guide to FedRAMP, but it was rarely discussed or used.
“We are starting to get inquiries from small businesses who don’t want to part with the big infrastructure providers, but they do have an implementation in a data center. They say, ‘How do I do this?’ Now, the CSP supplied isn’t reviewed by my office and agencies don’t review it, but they are required to hire a 3PAO. By hiring a 3PAO, all the testing is done, and if they do all their documentation, we will do a completeness check, and make it available for agencies to look at.”
Update to security standards coming
Agencies could look at the documents from the small businesses and decide the risk basis in how they want to use the service.
Roat said by going down this path, small firms can get ahead of the process.
“We are seeing small, medium and larger businesses who don’t want to invest in infrastructure and put their application or platform within that infrastructure,” she said. “When you look at infrastructure requirements there are a lot of physical controls for the physical environment so they will inherit those controls. They don’t have to document it. They don’t have to test it. It’s already been done. They just have to look at what their implementation need, the difference between the two and then get the testing done and move on.”
Even as agencies face the impending deadline, the program management office is planning to change the baseline security standards.
Roat said the National Institute of Standards and Technology likely will publish the test cases for its revision 4 of Special Publication 800-53 in April.
She said once those are completed, the PMO will update the new FedRAMP security standards later this summer based on industry comments it received over the last year.
“We’ve done a lot of analysis and received great feedback from industry, the third party assessment organizations and government on that,” Roat said. “We’ve come to a good place where we know what the baseline will look like, and we are have about seven controls we are hashing out that we are saying, ‘is this of value to a cloud service provider?'”