If 2012 was the year for finalizing FedRAMP as a streamlined security program for government cloud computing, 2013 may be the year where the work pays off and vendors start announcing certified FedRAMP cloud computing solutions. But even as vendors get their solutions FedRAMP certified, does FedRAMP really address all the potential concerns an agency might have for implementing a robust cloud computing solution?
What is FedRAMP?
FedRAMP, the Federal Risk and Authorization Management Program, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services. FedRAMP uses a “do once, use many times” framework that is designed to save costs, time, and staff required to conduct redundant agency security assessments and process monitoring reports.
The existing FISMA law requires Federal agencies to accept the risk and authorize cloud systems at the agency level. FedRAMP builds on FISMA and is designed as more of a cross-agency tool for selecting secure cloud systems.
With FedRAMP, a cloud service provider (CSP), such as Amazon, Google or Microsoft, contracts with an accredited third party assessment organization (3PAO) to independently verify and validate their security implementations and their security assessment package. The CSP submits the package to the FedRAMP Joint Authorization Board (JAB) for review. Once documentation and test results are completed, the assessment is measured against the FedRAMP requirements and if the JAB is satisfied that the risks are acceptable, a Provisional Authorization is granted. Agencies can then leverage the JAB Provisional Authorization as the baseline for granting their own authorization to operate (ATO). If necessary, agencies can add additional controls to the baseline to meet their particular security needs.
FedRAMP was developed in collaboration with the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), and the Department of Homeland Security (DHS). Many other government agencies and working groups participated in reviewing and standardizing the controls, policies and procedures.
Where is FedRAMP today?
FedRAMP is now operational. In fact, the first cloud service provider, Autonomic Resources, received a provisional ATO for its Autonomic Resources Cloud-Platform (ARC-P) at the end of December. ARC-P provides U.S. Government customers with a government community Infrastructure-as-a-Service (IaaS) cloud offering providing both managed and unmanaged virtual machines.
Autonomic Resources is already well-established as a government cloud computing player, having been certified by the GSA as both an Infrastructure-as-a-Service and Email-as-a-Service (EaaS) vendor in the past. The Autonomic EaaS solution, which is based on Microsoft Exchange, is also in FedRAMP processing, so we should expect to see this additional FedRAMP-authorized offering in place soon.
While Autonomic was the first to receive a provisional ATO, we will likely see a number of cloud providers announcing their ATOs in the near future. According to FedRAMP Program Manager Matt Goodrich, “additional JAB ATOs are expected in early 2013.” As in the past with FISMA, it is assumed that all government-focused cloud vendors will be committed to meeting the mandated FedRAMP security requirements.
That said, the FedRAMP requirements are complex and require a substantial investment of time and resources by technically qualified personal in the government, third party security firms and the cloud service providers. As many of the requirements are new and qualified resources are limited, it is likely that not all providers and services will be certified as quickly as industry or government would like. Plus the FedRAMP process is extremely documentation intensive, which may slow down rather than speed up the certification of new solutions. It is important, therefore, for agencies to recognize that migration to FedRAMP is but another phase in the security process that all reputable cloud services providers are committed to achieving. In the meantime, many established cloud offerings have met rigorous government security requirements under FISMA, ISO 270001 and other recognized standards and should be evaluated accordingly.
But does FedRAMP address all requirements for government cloud computing?
While the security of government cloud computing systems is a high priority for both government and the industry, it should be noted that FedRAMP is only designed to address low and moderate security risk levels and doesn’t govern single agency private clouds. Agencies requiring higher security levels will still need to do their own assessments of solutions to ensure they meet all mission requirements.
Finally, security is only one attribute that should be considered when agencies are looking for a suitable cloud computing solution. For example, the CIO Council and the Chief Acquisition Officers Council, highlighted ten areas that “require improved collaboration and alignment during the contract formation process” in their “Creating Effective Cloud Computing Contracts for the Federal Government.” Quoting from this publication, these ten areas are:
- Selecting a Cloud Service: Choosing the appropriate cloud service and deployment model is the critical first step in procuring cloud services;
- CSP and End-User Agreements: Terms of Service and all CSP/customer required agreements need to be integrated fully into cloud contracts;
- Service Level Agreements (SLAs): SLAs need to define performance with clear terms and definitions, demonstrate how performance is being measured, and what enforcement mechanisms are in place to ensure SLAs are met;
- CSP, Agency, and Integrator Roles and Responsibilities: Careful delineation between the responsibilities and relationships among the Federal agency, integrators, and the CSP are needed in order to effectively manage cloud services;
- Standards: The use of the NIST cloud reference architecture as well as agency involvement in standards are necessary for cloud procurements;
- Security: Agencies must clearly detail the requirements for CSPs to maintain the security and integrity of data existing in a cloud environment;
- Privacy: If cloud services host “privacy data,” agencies must adequately identify potential privacy risks and responsibilities and address these needs in the contract;
- E-Discovery: Federal agencies must ensure that all data stored in a CSP environment is available for legal discovery by allowing all data to be located, preserved, collected, processed, reviewed, and produced;
- Freedom of Information Act (FOIA): Federal agencies must ensure that all data stored in a CSP environment is available for appropriate handling under the FOIA; and
- E-Records: Agencies must ensure CSP’s understand and assist Federal agencies in compliance with the Federal Records Act (FRA) and obligations under this law.
And the publication warns that this is not an exhaustive list.
So while security is an absolute requirement for government cloud computing systems, other concerns such as privacy, SLAs and appropriate end-user agreements also need to be addressed by all agencies contemplating moving any workloads or government data to the cloud.