Shows & Panels
- Accelerate and Streamline for Better Customer Service
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Client Virtualization Solutions
- Data Protection in a Virtual World
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Feds in the Cloud
- Health IT: A Policy Change Agent
- IT Innovation in the New Era of Government
- Making Dollars And Sense Out of Data Center Consolidation
- Navigating the Private Cloud
- One Step to the Cloud, Two Steps Toward Innovation
- Path to FDCCI Compliance
- Take Command of Your Mobility Initiative
Shows & Panels
GSA finalizing requirements for FedRAMP
Wednesday - 8/25/2010, 7:26am EDT
By Jason Miller
Federal News Radio
The first cloud-based products or services to be certified and accredited for governmentwide use still may be six months away, but the universal approval process to securing systems is in the final stages of development.
Katie Lewin, the General Services Administration's cloud computing program manager in the Chief Information Officer Office, said GSA and the departments of Defense and Homeland Security are reviewing public and private sector comments on Version 1 of the requirements. She said GSA will issue Version 2 of the Federal Risk and Authorization Management Program (FedRAMP) requirements by the end of August or early September.
"Right now we are trying to push out the process and get as many comments as we can," Lewin said after her presentation at the Information Security and Privacy Advisory Board (ISPAB) meeting in Washington. "Once we get comments, we will post the controls by end of month or before. This is a process that is going through evolutions, so we will be refining and documenting the process."
FedRAMP is a part of the Obama administration's cloud computing initiative. The goal is to have a standard approach to certify and accredit products and services that reside on the cloud. The Office of Management and Budget wants a system to be approved once and used many times by the rest of government.
"The C&A process now is inconsistent as each agency does their own thing," Lewin said. "There is not a lot of acceptance or leveraging of the C&As done by others."
FedRAMP will let vendors and agencies certify and accredit a system at the low or moderate level and other agencies can implement it quickly without having to go through the 3-to-6 month C&A process. All three of the agencies-GSA, DoD, DHS--must approve the system before its placed on FedRAMP, and each system must have an agency sponsor, which also approves the final C&A. Vendors cannot just submit a system or product for FedRAMP approval, Lewin said.
The FedRAMP approval process also includes ongoing monitoring, assessment, reporting and remediation of security risk. OMB said the benefits include standard application of security requirements that are agreed to by all agencies, fewer risks because the systems are approved based on standards and cost savings for the agency and vendors because once it's approved, an agency can implement very quickly.
"CIOs will still need to sign the authority to operate before putting a system on their network even if FedRAMP approves it," she said. "The CIO must verify and validate the FedRAMP recommendation."
Lewin said GSA eventually may let non-cloud systems on FedRAMP, but for now the focus is on online applications only.
Version 2 of the requirements will include security controls detailed in the National Institute of Standards and Technology's special publication 800-53R as well as enhancements, said Kurt Garbars, the chairman of the Cloud Computing Security Working Group of CIO Council and GSA's chief information security officer.
"We have added 40-to-50 enhancements for moderate impact systems and about 13 for low impact systems," Garbars said. "It includes things like penetration testing, continuous monitoring using automated controls and things related to vulnerability scanning reporting."
Overall, Garbars said low impact systems will have to meet between 100-and-125 controls, while moderate systems will have to meet between 200-and-250 controls.
"It's been a balancing act to meet all the requirements," Garbars said. "There are thousands of requirements in 800-53 and we do not intend to add everything. Our goal is to come up with something everyone can live with."
He added that if an agency wants a system that has been C&Aed at the low level to be moderate, they would have to gain approval for only the difference between the two levels and not have to go through the entire process again.
Garbars said that agencies should expect to submit products and services to FedRAMP beginning Oct. 1, with the first approvals coming between January and March 2011.
There are several outstanding questions that GSA continues to work on, he said.
Several government and industry members of the ISPAB asked what happens if one or more of the approving agencies decide the system no longer meets FedRAMP requirements.
Garbars said the working group still is working on this, but he would expect the vendor or agency would have to fix the problem, and if they couldn't fix the problem, the system would be removed from FedRAMP.