More time needed to finalize FedRAMP

Wednesday - 6/29/2011, 8:38pm EDT

By Jason Miller
Executive Editor
Federal News Radio

Agencies will have to wait a little bit longer to buy cloud computing services that meet governmentwide cybersecurity requirements.

And vendors looking to offer these cloud services also will have to find more patience as the interagency working group expects to publish the final set of certification and accreditation requirements sometime between August and October, two government sources confirmed.

The General Services Administration and the departments of Defense and Homeland Security are developing the C&A requirements, under the FedRAMP program. But one agency source, who requested anonymity because they didn't get permission to talk about the process, said the agencies needed additional time to review and incorporate industry comments.

GSA, DHS and DoD originally hoped to finalize FedRAMP by the end of June.

The additional time also means vendors under GSA's blanket purchase agreement for infrastructure-as-a-service (IaaS), and agencies who want to use it, will have to wait longer.

An industry source, who also requested anonymity, said GSA added about 30 additional requirements for the C&A process at the moderate level in the last few weeks. The source said many vendors, including their company, were about ready to go through the final stages of the review process.

One of the government sources said IaaS follows FedRAMP closely so when the interagency group added more requirements so did GSA.

Multiple requests to GSA for comment on the changes to the FedRAMP schedule and the new requirements for IaaS were not answered.

In the meantime, the additional time slows down the government's move to the cloud.

DHS, for instance, issued a request for quote to move their public websites to the cloud in May. In the RFQ, DHS is requiring the winning vendor go through the FedRAMP certification process within 120 days of award. The industry source said making that deadline likely will be difficult.

Additionally, agencies are counting on the speed and lower cost FedRAMP is expected to provide.

Jaspal Sagoo, the chief technology officer for the Centers for Disease Control and Prevention, said his agency has been struggling for the last few months for how to provide a common vehicle for cloud services.

"We are looking at GSA Schedule 70 and we are looking at all the vendors who are about to go through the FedRAMP process as our baseline," he said Wednesday at the Cloud Computing Symposium sponsored by the Bethesda, Md. chapter of AFCEA. "We will offer that as the list of vendors that initially we will approve within the department."

Sagoo added without having that approved list of vendors, CDC could face sprawl where data is stored everywhere across the country and even across the world.

He said CDC over the next six months will start with the GSA-approved vendors and then expand from there.

But even when FedRAMP is finalized, the requirements may not meet all the agencies needs.

"It would not surprise me if each agency has some customization but if time to get a C&A on a cloud service is decreased, then FedRAMP has met its objectives," said Bill Lewis, a director in the portfolio management division of GSA's Federal Acquisition Service, at the conference. "But the proof is in the pudding."

He added FedRAMP would be issued soon, but did not give any more details.

The delay in finishing FedRAMP also will affect other cloud computing guidance.

The Chief Information Officer Council's Information Security and Identity Management Committee is working on guidelines for the secure use of cloud computing.

Earl Crane, the director of the cybersecurity strategy division in the DHS CIO office and who leads the development of the document, said the council will issue the guidelines after the final FedRAMP requirements are completed.

Crane offered some details of the 130-page document, which focuses on the top 20 considerations for securing agency cloud services.

Crane said no matter what type of cloud services an agency buys-software-as-a-service (SaaS), platform-as-a-service or IaaS--they all require specific decisions based on security, visibility and responsibility.

"You have this sliding scale where some capabilities are the responsibility of the cloud service provider and some are the responsibility of the cloud consumer," Crane said. "Based on the level of control you want to have in that environment, the level of inspection that you need in that environment and the cost decisions, you have this sliding scale where you can pick to use IaaS, where you are getting ping, power and pipe and you can build a system that you can audit and uses your customized capabilities or is administered by your staff. Or is it something where you want to do SaaS, where you have a smaller sliver of what you are able to inspect, what you are able to look for, but a lot more of the responsibility is the cloud service provider's in providing audit capabilities, providing attestation of the security services, third party inspection of the services they are delivering."