CAMBRIDGE, MD — The General Services Administration will officially turn the lights on for the governmentwide cloud security approval program, known as FedRAMP, today.
But agencies shouldn’t expect to buy any services that meet the cyber standards for at least another six months.
The Federal Risk Authorization and Management Program (FedRAMP) reaching initial operating capability (IOC) means that GSA, the Office of Management and Budget and the departments of Defense and Homeland Security have done all the preliminary work to get the program ready to review and approve cloud services. GSA, DHS and DoD make up the Joint Authorization Board (JAB), which gives provisional authority to operate for cloud services.
Over the last 19 months, GSA, which runs the FedRAMP program management office, published the final set of security standards, the concept of operations for how the FedRAMP approval process will work, the charter for the JAB and named the third party assessment organizations (3PAOs), which will do the first of three reviews to make sure the cloud services meet the governmentwide cyber standards. Katie Lewin, GSA’s program manager for cloud computing, said the biggest change in moving to IOC is FedRAMP will begin accepting applications online from vendors to begin the process to receive a provisional authority to operate (ATO), or go through the first of three gates toward final approval.
Lewin said two more documents should be released shortly.
“One is the guide to using FedRAMP and another is the application,” Lewin said Monday at the Management of Change conference sponsored by IAC and ACT. “In the guide to using FedRAMP, there is a page there that talks about what I would call threshold control. There are certain things, in our experience with infrastructure-as-a-service, that companies need to be able to meet. If they can’t, they should probably delay their application to FedRAMP until they can.”
What to know before you go
Lewin said one example is dual-factor authentication.
“If you are not doing that yet, probably you shouldn’t apply for FedRAMP right away,” she said. “You probably should figure out how you will do that.”
Another example is how the vendor describes their boundaries in a way that is complete, but doesn’t include the entire company.
“We have had many discussions with companies for IaaS where there was a discussion about the preciseness of the boundary described so that you know what you are granting your ATO for,” Lewin said.
As with all FedRAMP documents, Lewin said the program management office will continually update and tweak them to meet agency and vendors’ needs as they both become more experienced in using them.
Lewin said she hopes at least three cloud services will be approved by the JAB by December.
GSA has said it expects full operational capability by late winter or early spring of 2013.
Over the next few months, Lewin said GSA also will decide on how best to create the cloud documents repository, which will hold all agency related information about their approval process. She said GSA is considering using the OMB Max Intranet site or another one run by DoD.
New continuous monitoring guidance coming
Additionally, GSA also is working with DHS on new continuous monitoring guidance specifically related to cloud and FedRAMP.
“As it stands now, the continuous monitoring requirements are the same as they are right now,” she said. “[DHS] will release documentation fairly soon that talks about the next evolution in continuous monitoring.”
While FedRAMP gets ramped up, agencies are expected to continue to move to secure cloud services and meet OMB’s mandates.
DHS, for example, is moving to both a private and public cloud. In the public cloud, the agency is putting all its non-sensitive or non-critical data. DHS awarded a three-year, $1.8 million contract to CGI-Federal under the IaaS contract in September for public cloud services.
“We have built management services on top of that and the platform services. My office is serving as a service provider to the rest of the department,” said Keith Trippie, the executive director of the Enterprise System Development Office in the DHS Office of the Chief Information Officer, about the CGI public cloud offering. “How we have done this on the security side is we have taking the controls at the GSA ATO that were out of the box. We have developed a risk assessment on top of those ATO controls and then framed those against the DHS moderate level as well as the FedRAMP controls that were coming down the pike.”
Trippie said every DHS component using the public cloud services must accept the level of risk detailed as part of its analysis.
Components have been so eager to move their websites to the public cloud, and potentially save money, the DHS CIO’s office is overwhelmed and had to push some of the components off until 2013.
Trust, transparency and accountability
Trippie said DHS also is offering nine different services in their private cloud data center for components. All of these are at the moderate or high levels of security and will be certified and accredited before any user comes on.
“That is an entirely new business model that what we did before. Similar to what we are doing in the public cloud, we are doing the same concept in our private cloud,” he said. “What I would expect to happen, as FedRAMP takes off and we get more vendors to come in, we will be looking at our two data center providers in 2013 to come up to that standard. We would argue that the controls we already built at the moderate level would meet those criteria. But we will go that same process [as we are doing] with our public cloud.”
Trippie said the key to FedRAMP is the building of trust between agencies, vendors and the JAB over the next six-to-nine months as contractors receive their initial authority to operate. Additionally, the transparency of the review process and the accountability of the vendors and third-party assessment organizations also will help FedRAMP succeed, he said.
Trippie said agency CIOs, who have the final say if a cloud service meets their needs, initially will review some of the vendors’ offerings before being comfortable with the JAB’s IOC decision.
“Once they go through a couple of these a year from now and they have a couple under their belt, I think they will be a lot more comfortable with saying, ‘I don’t need the additional value add. I’m going to take what’s been done here,'” Trippie said. “I don’t think there one blanket or one-size-fits all. There are going to be apps folks will spend a little more time on.”
Agencies ahead of the pack should share their experiences with those that are moving slower. Trippie said FedRAMP is discussing how best to create an online forum for agencies to talk about good and bad of FedRAMP, and to get best practices and advice.