The lack of a governmentwide authorization program for contracted IT services has hindered federal adoption of cloud computing, Peter Mell, Cloud Computing Advisory Council vice chairman, said Monday in an interview with GovInfoSecurity.com. The Federal Risk and Authorization Management Program, or FedRAMP, could mitigate those challenges, he said.
The governmentwide initiative would provide joint authorizations and continuous security monitoring of shared IT services for federal departments and agencies that enter contracts with outside providers, including those offering cloud computing solutions. FedRAMP would establish a unified risk management process by:
- Creating agreed upon security requirements among federal departments and agencies.
- Ensuring compatible security requirements on shared systems.
- Eliminating duplication of effort and associated cost savings.
- Enabling rapid acquisition by leveraging pre-authorized solutions.
- Encouraging better system integration with governmentwide information security efforts.
- Increasing security through focus assessments.
The Cloud Computing Advisory Council, a group of government information security officials formed last year by Federal Chief Information Officer Vivek Kundra, has been working on the program since its inception. It has sent its plans for FedRAMP to agencies to be vetted. "It took us this last year to figure out what we needed to do and figure out how to move forward, and I think we are poised to make serious progress here," Mell said.
The Council expects to pilot FedRAMP almost immediately after the agencies give their blessings to the program. FedRAMP would be voluntary, so agencies with unique needs could define their own security requirements, said Mell, who also is a senior computer scientist at the National Institute of Standards and Technology and had led NIST's cloud computing initiatives.
"It's voluntary because we do not want to take away the innate authority and responsibility of each agency to secure their systems," Mell said. "What we want to do is reduce duplication of effort, reduce costs, increase security, and we believe we can do that through this unified, risk management program.
"And the agencies, by leveraging FedRAMP authorization, will save a lot of money and enable rapid acquisition but they're still in control. They get to choose whether or not they leverage it. They can choose if they want to do additional work to assure systems meet the security needs of their agency."
FedRAMP's structure would consist of three entities:
- Security Requirement Authorities would create governmentwide security requirements.
- Joint Authorization Board would perform authorizations to be leveraged by agencies.
- FedRAMP Office would manage the program and conduct technical analysis of authorized
Mell said FedRAMP would not require any new laws to implement, and it conforms with existing Office of Management and Budget and NIST IT security guidance.
FedRAMP jibes with the latest revised guidance from NIST - Special Publication 800-37 Revision 3, known as Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach - which encourages agencies to jointly define the security requirements of IT services to be acquired. For example, the General Service Administration could accredit a cloud computing providers services. Other agencies could piggyback on that authorization.
"Instead of having to go back and having each of those agencies do a complete reauthorization for their own purposes, they can now use the documentation and evidence used as part of that first agency's authorization as the basis of their risk decision," Ron Ross, the NIST senior computer scientist who was the lead author of SP 800-37, said in an interview with GovInfoSecurity.com.