Confusion over how best to incorporate cloud security standards in procurements has reached a breaking point.
The Office of Federal Procurement Policy is planning to help agencies clarify the best way they should include the Federal Risk Authorization and Management Program (FedRAMP) standards in solicitations.
“Right now it has in the policy memo agencies must include FedRAMP in their contracts and enforce it contractually. There’s no guidance exactly on how to do that. So we will be having some contract language come out,” said Matt Goodrich, the director of FedRAMP during a press roundtable in Washington Tuesday. “We have some already, but having some contract language with some more practical and implementation guidance and implementation guidance around it as well as some additional things like what’s the evaluation criteria for agencies when evaluating that proposal that comes in.”
He said the FedRAMP program management officer also is working with the Office of Management and Budget to incorporate the contractual language and oversight of cloud services contracts into the PortfolioStat process.
Goodrich didn’t say when OFPP would issue the clarifying guidance.
“We are working with GSA to ensure agencies are equipped with the necessary tools and strategies to effectively implement current policy and realize the full potential of FedRAMP,” an OMB official said in an email to Federal News Radio.
OMB initially addressed cloud acquisitions in its December 2011 memo when it launched FedRAMP.
In that memo, OMB only says agencies must “Ensure that acquisition requirements address maintaining FedRAMP security authorization requirements and that relevant contract provisions related to contractor reviews and inspections are included for CSPs.”
Incremental approval possible
The FedRAMP PMO also has an entire section on its website for acquiring cloud services, which includes several case studies and issues to consider when procuring and awarding cloud service contracts.
But it doesn’t offer any templates or sample contract language.
The clarification became more necessary as FedRAMP has matured and became mandatory as of June. Agencies were requiring vendors to meet certain requirements that may be too difficult or not in the spirit of FedRAMP.
“The concern that we have is that there are agencies who were requiring FedRAMP compliance as a condition for eligibility to bid, which we feel is inappropriate and unduly restrictive, much in the same way many IT procurements don’t require an authority to operate in order to bid, but rather an ATO in order to go into operations,” said Kathy Conrad, the General Services Administration’s acting associate administrator of the Office of Citizen Services and Innovative Technologies. “So we are looking to clarify that to avoid restricting cloud providers who are in the process of becoming compliant or are prepared to receive a FedRAMP ATO after an award and before the agency needs them to have that ATO to go live.”
Additionally, the clarification is needed as agencies are expected to spend billions of dollars on cloud services in the coming years.
Conrad said the program management office is even considering whether agencies could issue an interim authority to operate (IATO) so they don’t have to wait 9- to-12 months for their vendor to get FedRAMP approved — he average time for a vendor to go through the rigorous process.
To be clear, Conrad said an IATO is only one option, and the GSA, departments of Defense and Homeland Security-led Joint Authorization Board (JAB) is not considering the IATO option.
Conrad said the FedRAMP PMO must balance the need for a rigorous approval process with the need for allowing innovative cloud service companies access to the federal market as soon as possible.
Along with the contracting help, FedRAMP is working on several other initiatives for 2015 as part of its year two priorities.
Federal News Radio first reported FedRAMP’s plans to develop baseline standards for systems rated high on the Federal Information Security Management Act scale. The draft high baseline will be available for the first round of public comments in January.
Justification for more controls
Goodrich said the PMO plans on finalizing the baseline standards in the next year.
“One thing that I think our stakeholders will very much appreciate is as we put that baseline out it will be different than before because it actually will have justifications for why we selected additional controls,” Goodrich said. “Previously, we just put out the baseline and said respond to it. We should have a better dialogue among all of our stakeholders as to why we are asking for certain things, and if a provider says ‘this control is too expensive,’ then they can provide two alternatives that may be a cheaper way to do it, but achieve the same net goal.”
Conrad added being transparent on intent will help industry suggest alternatives that may be less costly, but still as rigorous.
Goodrich said as FedRAMP enters into year two, the PMO’s goal is to ensure agencies know this is not a GSA or JAB program, but a governmentwide program.
Part of the way the PMO will be doing that is by establishing several working groups. Goodrich said the working groups are part of how the PMO wants to create a sense of ownership and collaboration among agencies.
“There’s going to be multiple levels of the working groups,” he said. “One is having a general high level working that is the FedRAMP points of contact of each agency talking through what their compliance numbers look like, what major issues are [they] going through, what their reporting into OMB [looks like] and make sure that we are actively working with them around that baselining of the metrics to understand where we area with FedRAMP and cloud use across the government.”
Another working group may center on new cyber requirements from DHS or the National Institute of Standards and Technology, and how they apply to agencies.
A third one would bring several agencies together to share resources in approving cloud service providers.
“If there are six agencies working with cloud service providers and one agency takes the lead with one CSP each and they get five more authorizations for free from the other agencies,” Goodrich said.
Measures of success
Conrad said agencies have been hesitant to conduct their own cloud security reviews mainly because there is a big disincentive to be first as other agencies will just take advantage of their work.
She said this way everyone has skin in the game and they all benefit from each other’s efforts.
Goodrich said the goal is to get these working groups set up in the next six months.
Another improvement will be around how the PMO measures FedRAMP’s impact. Goodrich said the metrics effort is part of how the program management office wants to increase the use of FedRAMP across the government.
“We actually need to really understand who’s using it. So we need to establish the FedRAMP metrics. Who’s using it? Where are they using it? Where are cloud service providers actually in agencies and where they have customers? Where are there cloud providers who want to come into the federal government? We really want to understand the total depth of cloud across the federal landscape,” he said. “Also with that we want to make sure we update our implementation guidance. We know agencies to do FedRAMP, they must understand exactly how to do it. While the process has been pretty clear and been straightforward and public for a while, actually implementing that within an agency and that practical guidance of how you incorporate that into your existing policies and procedures from the beginning of the authorization process to reusing to putting your applications into an authorized environment, all of that, we will have guidance that help support agencies through that.”
Another major change coming to FedRAMP next year is around the third party assessment organizations (3PAOs). Goodrich said the goal is to enhance the consistency and quality of the third party assessors.
Goodrich said FedRAMP also will relaunch its website with the Web address fedramp.gov, but more importantly, it will make information and resources easier to find.
Finally, he said the PMO will look into whether existing non-federal cloud security standards, such as those for HIPAA, could be integrated or substituted in some way for the federal standards. The goal would be to reduce cost and time for vendors to show they meet a certain level of security standards.
The one thing Goodrich and Conrad reiterated time and again is that they want to improve FedRAMP’s efficiency, take into account how cybersecurity is constantly changing and ensuring agencies understand the benefits of the program — all while keeping the program’s rigor in place.