FedRAMP to Become Mandatory

Fed Agencies Must Use Program to Contract Cloud Services

By , November 3, 2011.
FedRAMP to Become Mandatory

F

See Also: CISO Agenda 2015: Adding Value to a Security Program with Application Security

edRAMP, the government program aimed at vetting cloud computing providers, eventually will become mandatory for federal agencies outsourcing cloud services, Federal Chief Information Officer Steven VanRoekel said Wednesday at a National Institute of Standards and Technology cloud computing government and business conference.

VanRoekel also said the White House is in its final stages of approving FedRAMP, the Federal Risk and Authorization Management Program (see Fed's Common Sense Vetting of Cloud Providers).

In his speech, one of his first as federal CIO, VanRoekel made it clear that he buys into his predecessor's strong belief that the cloud will serve as a primary computing platform for government IT. Last February, then-Federal CIO Vivek Kundra unveiled the government's Cloud First initiative, in which he said one-quarter of government IT spending would be for cloud services (see Kundra Eyes 25% of Fed IT Spend on Cloud Services).

VanRoekel said the federal cloud strategy has four prime areas: agencies, FedRAMP, international and cybersecurity. Agencies, he said, need to have the right tools to migrate to the cloud. In addition, he said, the Federal CIO Council is drafting a white paper to help agencies address cloud legal matters.

The CIO said procuring cloud services through FedRAMP should be transformational, saving agencies money and providing agility in acquiring needed services. He said the federal government is exploring compliance, jurisdictional and service-level agreements as they relate to international challenges, adding that there's a need to strike a balance between trade, innovation and cybersecurity.

VanRoekel, who's official title is administrator of e-government and IT in the Office of Management and Budget, said OMB will continue to work with NIST and the Department of Homeland Security to enhance cybersecurity within the government's cloud operations.

The conference comes a day after NIST released a draft of its roadmap to cloud computing (see NIST Issues Cloud Computing Roadmap), which NIST Director Patrick Gallagher characterized as a "catalyst for action" on widespread adoption of cloud computing by the government.

Gallagher said the roadmap calls for the development of performance-based - as opposed to prescriptive - standards. "How your particular company solves a problem should be irrelevant so long as the outcome, the level of service, is of the quality the cloud consumer and provider agreed upon," he said. "That quality should also be quantifiable, going back to metrics."

The NIST director said cloud consumers need checks and balances that provide confidence that their data will be well cared regardless of where that information is stored or manipulated at any given time. "The activities of other tenants in the cloud should not disrupt their neighbors," he said. "Cloud consumers need ways to ensure appropriate monitoring and physical security to protect their valuables against theft or destruction. We need insurance, redundancy, a backup plan of some kind."

In addition, Gallagher said, cloud consumers need the ability to pack their data and move to another cloud if they so choose, without excessive cost.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Inside Cisco's Annual Security Report

Cisco Principal Engineer, Jason Brvenik provides insight on trends from Cisco's Annual Security...

Latest Tweets and Mentions

ARTICLE Inside Cisco's Annual Security Report

Cisco Principal Engineer, Jason Brvenik provides insight on trends from Cisco's Annual Security...

The ISMG Network