GSA to tighten oversight of conflict-of-interest rules for FedRAMP

Tuesday - 12/20/2011, 11:03pm EST

Jason Miller, executive editor, Federal News Radio

Download mp3

Jason Miller, executive editor, Federal News Radio

Download mp3

Vendors wanting to provide cloud services and assess other vendors under the FedRAMP program will be watched closely so as not to violate federal conflict-of-interest rules.

Under the notice released Dec. 8, the General Services Administration wants vendors to wall off the different parts of their organizations if they want to provide both services.

"It will be a very strong test that we have to see a clear firewall between those capabilities," said Dave McClure, GSA's associate administrator in the Office of Citizen Services and Innovative Technologies, in an interview with Federal News Radio. "The key is we are relying on a specific ISO standard that is a clearer bar an organization must conform to, to demonstrate that separation in functionality. It's not just an arbitrary, 'tell us how you are doing it.'"

McClure added GSA also is building on the experience of the National Institute of Standards and Technology in establishing third party independent assessment functions. NIST has used third party assessors for Homeland Security Presidential Directive-12 and health IT products and services.

For FedRAMP, GSA is using ISO 17020, which looks for independence, impartiality and integrity in the process.

"The evidence of independence and impartiality will be taken quite seriously," said Kathy Conrad, GSA's principal deputy associate administrator in the Office of Citizen Services and Innovative Technologies. "The success of FedRAMP depends on the integrity and rigor of these third-party assessments. If there is any question that they are not done fairly and consistently and with real independence that would undermine the whole concept of FedRAMP. That is one of the reasons why we are being so determined those third party assessments are in fact done by organizations that are independent of cloud services."

Industry day excitement

The conflict of interest question was one of several areas vendors wanted clarification about Friday at the third-party assessment industry day GSA held in Washington.

Conrad said more than 200 people attended the event and she said there was a sense of anticipation and excitement that FedRAMP finally is moving along. The Office of Management and Budget Dec. 8 issued a policy memo detailing how the program will work.

GSA will lead the effort to choose third-party assessment organizations, which will be the first step vendor providers of clouds services must go through before receiving a provisional authority to operate from FedRAMP's Joint Authorization Board (JAB).

McClure said the third parties will be independent of the government and charge cloud service providers to analyze their software or hardware to ensure it meets the FedRAMP standards.

The notice GSA released detailed the application process for third-party assessment organizations.

Conrad said GSA will answer all industry questions by Jan. 6 and start accepting the first-wave third-party assessment applications by Jan. 9.

She said the first round of applications will close Jan. 20, but GSA will continue to accept third party proposals on an ongoing basis.

Conrad said the first set of third-party assessers should be named 45 days after the initial application period closes.

FedRAMP security controls coming soon

GSA also will issue the FedRAMP security controls on or about Jan. 8 and the concept of operations will come in February, Conrad said. GSA expects FedRAMP to meet initial operating capability by late spring.

It will take approximately a full year to get FedRAMP to full operational capability, McClure said.

"We will run the companies under the infrastructure-as-a-service contract run through the process to understand the deltas," he said. "Part of the way FedRAMP intends to operate is there will be a baseline standard that agencies have to meet. Then they are able to add additional controls beyond the baseline."

Conrad added she thinks the difference between what the IaaS vendors went through for approval by GSA will be small with what they still have to do to meet FedRAMP requirements.

And once GSA awards the blanket purchase agreement for e-mail-as-a-service, McClure said those vendors also will go through FedRAMP.

"What you will see evolving between now and the next six months is a prioritized list of cloud services that will be the first to go through FedRAMP," McClure said. "It will be multi tenant in nature, have the broadest impact and can be leveraged across the government."

RELATED STORIES:

New FedRAMP standards first step to secure cloud computing

GSA reopens cloud email RFQ

NIST, GSA setting up cloud validation process