The 90-page Proposed Security Assessment and Authorization for U.S. Government Cloud Computing is aimed to ease the process for government agencies to adopt cloud computing by defining common security and risk assessment requirements that qualified private contractors must meet.
In the preface to the draft, Federal Chief Information Officer Vivek Kundra solicited comments from government agencies, contractors and the public to frame appropriate security controls and processes to appear in the final document. Suggestions should be submitted by Dec. 2 to fedramp.gov.
The draft issued through the Federal Chief Information Officers Council covers three main areas:
- List of baseline security controls for so-called low- and moderate impact cloud systems. NIST Special Publication 800-53R3 provides the foundation for the development of these security controls.
- Processes in which authorized cloud computing systems will be monitored continuously. This draft defines continuous monitoring deliverables, reporting frequency and responsibility for cloud service provider compliance with the Federal Information Security Management Act.
- Proposed operational approaches for assessment and authorization for cloud computing systems that reflect on all aspects of an authorization - including sponsorship, leveraging, maintenance and continuous monitoring, a joint authorization process and roles and responsibilities for federal agencies and cloud service providers under the risk management framework detailed in NIST Special Publication 800-37R1.
A basic concept behind FedRAMP to simplify the vetting of cloud computing providers is the creation of agreed upon cloud computing security requirements among federal agencies so vendors needn't have to meet different requirements from each agency, a timely and costly fulfillment process. Simply, under FedRAMP, if one agency vets cloud providers, other agencies could piggyback on that assessment and authorization.
At a congressional hearing this past summer, David McClure, the General Services Administration associate administrator of the Office of Citizens Services and Innovative Technologies, suggested that agencies collaboratively defining security requirements should enhance cloud computing security.
"It's very important in talking about security to not start from the mentality that doing it yourself means it will be done perfectly," McClure said. "There are too many examples where that's not the case, and in fact, having a collection of security experts try to do the job for a larger collection of people rather than having each of those people do it themselves makes a lot of sense. You get more ability to move forward quickly when you have experts doing it for people rather than everybody doing it themselves."
The GSA oversees FedRAMP.