Demand is finally pushing the cloud services cybersecurity program known as FedRAMP to develop standards for high impact systems.
The Federal Risk Authorization and Management Program will send a draft baseline standard for FISMA high systems around the government for comment in the next month.
Matt Goodrich, the acting director of the FedRAMP program, said the program management office then will submit the draft baseline to industry for comment before finalizing it in 2015.
“The Homeland Security Department’s National Protection and Programs Directorate came to us and for the continuous diagnostics and mitigation program they are moving toward cloud and have a need for a high baseline. They really were one of the first agencies to come to us saying they were moving toward cloud based offering and need a high baseline, but FedRAMP doesn’t have it and we really want to align,” Goodrich said in an interview with Federal News Radio. “What we’ve decided to do, in the same way that FedRAMP has always tried to have a deliberate approach in everything we create in requirements and have consensus building approach to have all our stakeholders buy into the final product, is we’re gathering some of the internal government stakeholders that have the type of high systems that this would apply to.”
Goodrich said the new high-impact baseline would apply only to non- classified technology systems as characterized under the Federal Information Security Management Act (FISMA).
The Government Accountability Office estimated that only about 12 percent of all systems are labeled as high impact systems. But as the Defense Department, DHS and other agencies are moving to use cloud computer services more broadly, the need for a high-impact baseline standard is growing quickly.
“We are doing an internal consensus building among those agencies who have those types of systems to build what we would consider a draft baseline by the end of the year,” Goodrich said. “We are planning to have that available for DHS to use as a draft, which is similar to what GSA did for the infrastructure-as-a-service blanket purchase agreement when that went out before FedRAMP launched and GSA used the draft FedRAMP baseline at that point. In the new year is when we plan on doing our first round of public comments. That will likely require more than one round of public comments. That is one area of feedback we’ve gotten a lot from industry is the chance to comment more than once.”
A growing demand
He said he’s not sure how long the comment period will be, but the goal is to release version one of the high baseline in 2015
In the meantime, at least one agency is trying to address this challenge on its own in some respects. DoD recently released a report on its cloud thinking where it proposed to reduce the number of security controls to balance risk and costs. Along with better defining the six levels of cloud security, DoD also more clearly explained how the cloud system impacts mission delivery as part of the cybersecurity review.
FedRAMP and the Joint Authorization Board (JAB), which is made up of the chief information officers from DHS, DoD and GSA, have been reluctant to create a high baseline standard over the last few years. The most common reason from officials has been the lack of demand.
But as DHS expands its CDM program across more and more agencies, and as the use of cloud computing continues to grow — some experts forecast agencies could spend between $4 billion and $10 billion annually over the next five years — the demand for FISMA high cloud standards now is coming quickly.
Along with the CDM program, DHS is leading the implementation of the Trusted Internet Connections (TIC) initiative, and there has been some concern about how TIC, CDM and FedRAMP fit together.
Goodrich said the programs do not align yet, but the security requirements are similar.
“What CDM is requiring of federal-owned data centers and assets, we require as well,” he said. “We are doing down the same highway, if you will. With TIC, we really have been working closely with our cloud providers and the TIC office as well. We are working to see how we can align the FedRAMP assessment process with the TIC capabilities and assessment process as well.”
He said the FedRAMP PMO and DHS are working to map the TIC capabilities to the cloud security requirements and the National Institute of Standards and Technology 800-53 special publication for security controls.
“We want to see if there is any additional guidance or testing that could be done so that potentially if you were doing a FedRAMP assessment you could also do a TIC assessment for the TIC capabilities as well,” Goodrich said. “We are in the very beginning stages of that but it’s exciting to see the alignment of these programs.”
Roadmap and education campaign coming.
Goodrich said the development of the high baseline is one of several coming updates to FedRAMP.
He said while a major overhaul of the program isn’t needed, there are some tweaks that are coming as part of version 2 of the FedRAMP roadmap.
“We’ve heard form industry and agencies alike that sometimes they don’t know what we are doing inside the PMO so what we are planning on doing is putting out a notice on what we are focusing on over the next two years in the PMO and what are our main goals so agencies and cloud service providers can track our progress,” Goodrich said.
He said the roadmap will have three main goals:
Increasing agency participation and compliance with FedRAMP
Becoming more efficient as PMO
Continuing to adopt
Each of the goals will have actions and objectives that the PMO will take over the next two years. Goodrich said he expects that roadmap to come out in the next month or so.
“One thing we are trying to do in assisting agencies through this [the adoption of FedRAMP] process is educating them about what it means to sponsor or authorizing a system for use under the FedRAMP requirements,” he said. “We really are trying to align some of these cloud service providers with their customers in getting through the process. We are seeing a really big appetite from many of the cloud providers saying they want to do this, but their customers don’t really understand the process. So we are trying to get out there to help agencies really understand what it means. At the end of the day, FedRAMP is FISMA for cloud. Agencies are doing FISMA currently and authorizing systems under FISMA and this is just adding some additional clarity to FISMA for cloud systems.”
The FedRAMP PMO validates all the documentation from cloud service providers before it’s placed in the repository, but Goodrich said the oversight agencies apply varies greatly.
“We are working to find efficiencies in the JAB process and we have implemented a number of them, but as everyone tries to make the process go faster, one thing we are unwilling to do at the JAB level is to trade off security and rigor for speed,” he said. “We’ve started having multiple eyes on each package that comes through. We’ve initiated Red Team reviews where everyone on the team to look at the different sections of the security system plan so there are multiple eyes looking at it before it goes to the JAB, which should reduce the JAB’s review time as they go through it as well.”
Goodrich said instead of having a meeting to get the JAB to sign off on the cloud security system plan, the PMO can get the CIOs’ signatures electronically to help speed up the approval process.