White House Sets Uniform Security Standard for Cloud Providers

The federal government has launched an assessment and monitoring program under which cloud providers have to commit to a certain level of security before being allowed to work with the government.

The Federal Risk and Authorization Management Program (FedRAMP) establishes a baseline of security requirements for government contractors interested in providing the federal government with cloud services, the Office of Management and Budget said Dec. 8. Over two years in making, the finalized FedRAMP is a "first step" toward securing cloud environments, according to Federal CIO Steven VanRoekel.

The federal government spends hundreds of millions of dollars securing its IT systems, and much of the tasks are "duplicative, inconsistent and time consuming," according to VanRoekel. FedRAMP's "do once, use many times" framework will save money, time and staff required to conduct security assessments, he said. VanRoekel estimated there will be a 30 percent to 40 percent cost savings for the government while securing cloud services under FedRAMP.

"FedRAMP enables agencies to deploy cloud technologies, while realizing efficiencies of scale to substantially reduce costs and transition time," he wrote on the White House blog.

Starting in June, all federal agencies must use FedRAMP when evaluating and purchasing "commercial and non-commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies," according to a memo from VanRoekel. The requirement covers systems that are provided or managed by other departments or agencies, contractors, or other sources, VanRoekel added. Because vendors will already be certified under FedRAMP, agencies will be able to move through the procurement process more easily and cheaply.

Along with a set of minimum security controls cloud providers have to meet to work with the federal government, FedRAMP also defines an assessment process for authorizing those services and a continuous monitoring tool that all agencies will be required to use.

Security is often cited as a primary cause for concern when considering cloud deployments. FedRAMP will ease some of those concerns by specifying the bare minimum of what providers have to deliver.

"It's a uniform way of risk management and utilizes a standard set of baseline security controls," VanRoekel said.

Officials from the Department of Defense, Homeland Security and the General Services Administration will oversee the FedRAMP authorization board. The board will define and update the security authorization requirements and approve accreditation criteria for third-party organizations that will assess cloud providers for FedRAMP compliance. GSA will also create service-level agreements and templates for the program and establish a record repository to house and securely share assessment, accreditation and authorization information across agencies.

The document released Dec. 8 did not specify the security controls that cloud providers must have in place. Those details are expected from the CIO Council within the next 30 days. The program management office is expected to publish more detailed documentation within 60 days. The authorization board will publish its governance model in the next 90 days. The program won't become fully operational or take on its full assessment duties for a few more months.

Ever since the White House reiterated its commitment to cloud services with its "cloud first strategy" in February, federal departments and agencies have moved 40 services to the cloud and identified 79 more that will be migrated by June 2012. The cloud first strategy means agencies have to consider cloud computing options for their IT implementations first before evaluating other options.