With FedRAMP, federal agencies will be able to evaluate and monitor cloud providers to ensure their services meet minimum security standards.
federal government has launched an assessment and monitoring program under
which cloud providers have to commit to a certain level of security before
being allowed to work with the government.
Federal Risk and Authorization Management Program (FedRAMP
establishes a baseline of security requirements for government contractors
interested in providing the federal government with cloud services, the Office
of Management and Budget said Dec. 8. Over two years in making, the finalized
FedRAMP is a "first step" toward securing cloud environments,
Federal CIO Steven VanRoekel
federal government spends hundreds of millions of dollars securing its IT
systems, and much of the tasks are "duplicative, inconsistent and time
consuming," according to VanRoekel. FedRAMP's "do once, use many
times" framework will save money, time and staff required to conduct
security assessments, he said. VanRoekel estimated there will be a 30 percent
to 40 percent cost savings for the government while securing cloud services
enables agencies to deploy cloud technologies, while realizing efficiencies of
scale to substantially reduce costs and transition time," he wrote on the
White House blog.
in June, all federal agencies must use FedRAMP when evaluating and purchasing
"commercial and non-commercial cloud services that are provided by
information systems that support the operations and assets of the departments
and agencies," according to a memo from VanRoekel. The requirement covers
systems that are provided or managed by other departments or agencies, contractors,
or other sources, VanRoekel added. Because vendors will already be certified
under FedRAMP, agencies will be able to move through the procurement process
more easily and cheaply.
with a set of minimum security controls cloud providers have to meet to work
with the federal government, FedRAMP also defines an assessment process for
authorizing those services and a continuous monitoring tool that all agencies
will be required to use.
is often cited as a primary cause for concern when considering cloud
deployments. FedRAMP will ease some of those concerns by specifying the bare
minimum of what providers have to deliver.
a uniform way of risk management and utilizes a standard set of baseline
security controls," VanRoekel said.
from the Department of Defense, Homeland Security and the General Services
Administration will oversee the FedRAMP authorization board. The board will
define and update the security authorization requirements and approve
accreditation criteria for third-party organizations that will assess cloud
providers for FedRAMP compliance. GSA will also create service-level agreements
and templates for the program and establish a record repository to house and
securely share assessment, accreditation and authorization information across
document released Dec. 8 did not specify the security controls that cloud
providers must have in place. Those details are expected from the CIO Council
within the next 30 days. The program management office is expected to publish
more detailed documentation within 60 days. The authorization board will
publish its governance model in the next 90 days. The program won't become
fully operational or take on its full assessment duties for a few more months.
since the White House reiterated its commitment to cloud services with its
"cloud first strategy" in February, federal departments and agencies
have moved 40 services to the cloud and identified 79 more that will be
migrated by June 2012. The cloud first strategy means agencies have to consider
cloud computing options for their IT implementations first before evaluating