New FedRAMP standards first step to secure cloud computing

Thursday - 12/8/2011, 4:00pm EST

Jason Miler, executive editor, Federal News Radio

Download mp3

The federal IT reform effort is celebrating its one-year anniversary and the Office of Management and Budget highlighted it by releasing of the much-anticipated cloud security framework.

Federal chief information officer Steven VanRoekel issued a policy memo detailing how the Federal Risk and Authorization Management Program (FedRAMP) will work, a series of deadlines for operational documents and a six-month deadline to get the program's initial operating capability in place.

"FedRAMP creates a governmentwide process for the secure use of cloud computing that reflects consensus among all these key agencies and stakeholders, and has been very extensively vetted through councils, academia and industry," VanRoekel said during a conference call with reporters. "This is a first step. We will continue to get feedback, continue to evolve and take the FedRAMP process forward."

Along with FedRAMP, OMB detailed more than $4 billion in savings or cost avoidance from TechStat sessions and announced a draft Shared Services strategy for commodity IT services.

"As we come to the end of a year on IT reform we've accomplished an incredible amount," VanRoekel said. "The next step for us is to really scale these efforts for maximum impact. FedRAMP is a good example of that where we are taking good things that are happening in certain areas and being really smart about scaling that across the government. You will see more in that area as we take each of the 25 point plan elements and take the best of the best and scale them in policy and practice across the government."

Do once, use many approach

VanRoekel said FedRAMP will promote the "do once, use many" approach.

Under the program, the departments of Defense and Homeland Security and the General Services Administration will run the FedRAMP Joint Authorization Board (JAB) to oversee and run the process, including approving third party assessment organizations, establishing a priority queue for cloud services reviews and issuing a provisional authority to operate to vendors.

"When an agency uses cloud services, they will leverage the FedRAMP cloud authorization," said Richard Spires, DHS CIO and vice chairman of the CIO Council. "They still have to do full authority to operate (ATO), but we think they can leverage up to 90 percent in what we do in granting the provisional authorization."

He added the FedRAMP authorizations on services will be at the low and moderate levels of the Federal Information Security Management Act.

Spires said the entire FedRAMP development process has been collaborative in order to build trust with agency CIOs.

But he said the JAB realizes CIOs will not accept the provisional authority blindly.

"They will need to make adjustments as they see fit for their agency," he said. "I certainly believe with all that we've done with these controls and adding additional controls from the stand point of cloud based services that we are secure for the FISMA low and moderate levels there is a high degree of confidence. We've had these discussions in the CIO Council and I think there is a lot of excitement actually to move forward to leverage this. Frankly, as CIOs we are paying too much for all of this certification and accreditation work we do with security and we are looking for ways to streamline this."

VanRoekel said OMB estimates agencies could save between 30 percent and 40 percent on certification and accreditation (C&A) compared to what they are paying now—which some estimate to be in the tens of millions across the government.

"FedRAMP establishes a standardized approach to security assessment, authorization and continuous monitoring," he said. "It will save cost, time, money and staff associated with doing this work. It's a uniform way of risk management and utilizes a standard set of baseline security controls."

Common documents for FedRAMP

GSA will support FedRAMP through a program management office.

Dave McClure, GSA's associate administrator in the office of Citizen Services and Innovative Technologies, said the PMO will be trouble shooters to ensure the FedRAMP process works smoothly.

"We are designing some standard templates for security assessments that can be used governmentwide," McClure said. "We are coming up with contract templates for contract language and service level agreements that agencies can leverage without reinventing from scratch. We are coming up with some standardized agreements between departments and the FedRAMP PMO so this information can flow smoothly. And we will create secure repository where we house a lot of the accreditation and assessment and ATO information so that it can be shared securely across the government and leveraged the time spent on the assessment process."

The National Institute of Standards and Technology also is playing a key role in the FedRAMP process. It helped developed the security requirements based on its FISMA guidance.

It will create and help implement the for conformity assessment procedures for the third party accreditors who will recommend approval of vendors to the JAB under FedRAMP.

Sen. Joseph Lieberman, (I-Conn.), chairman of the Homeland Security and Governmental Affairs Committee, said the administration said the new framework is part of the administration's "steady progress" in improving federal technology.

"Today's unveiling of FedRAMP, a standardized system for assessing and monitoring the security of cloud products and services, moves the government closer to a open 'cloud-first' policy, which shows enormous potential for increased productivity, more efficiency and major cost savings," he stated in a release. "And that, after all, is what taxpayers want from their government, particularly in a tough economic environment."

OMB and the CIO Council issued the draft FedRAMP standards in late 2009 and received hundreds of comments.

McClure said through the comment process and by working with federal and industry experts, they believe they have addressed most of the concerns raised in the draft.

He said GSA will issue specific guidance to industry on how they will put their specific product or service in the FedRAMP process.

"Industry products and services in the cloud space will be evaluated against the baseline controls," McClure said. "We will expect industry to be evaluated using third party assessment organizations. So those are two requirements that industry will be paying attention to. We don't want to create a bottleneck at beginning of this process by assuming everything can come to FedRAMP. We want these controls and independent assessments done well, and then industry will find their products and services will be much more leveragable around the government than ever before and save them an enormous amount of dollars that they spend now doing that time and time again."

VanRoekel reiterated his previous comments, saying FedRAMP is mandatory for all cloud services.

More systems to the cloud

And agencies are moving to the cloud. OMB said departments have put 40 services in the cloud and expect to add another 79 by June 2012 as part of the administration's cloud-first initiative.

"The other great thing that happens that we‘ve noticed and this sort of proves out benefit of the cloud, not only are we saving money by moving to the cloud and getting more operational efficiency, but we also eliminating legacy systems," VanRoekel said. "Over 50 legacy systems have been eliminated over last year by these agencies, and we are introducing new levels of security, reliability and in many cases new functionality in to the government agencies. Things like collaboration, virtual meetings and other things are being introduced by moving to these cloud based systems."

In addition to cloud reducing the number of legacy systems, VanRoekel said agency-led TechStat sessions have helped agencies save or avoid spending $931.7 million over the last two years. OMB-led TechStats have saved or avoided spending another $3 billion.

Story continues below graphic.

VanRoekel said $455 million of that cost avoidance or savings from agency-led TechStats come from eliminating duplicative systems and $120.5 million comes from terminating systems.

In a report on TechStat, also released today, OMB highlights how the 25 largest agencies have used this oversight process to improve project management.

Finally, VanRoekel announced a new draft shared services strategy for commodity IT. He said it would be posted later online later today.

"This plan…encourages agencies to look inside their organization for opportunities for consolidating commodity IT and as we progress, the strategy lays this out, look for shared services in other areas, both inside the agency and outside the agency," he said. "The strategy document is the first step in a broader process to do more with less, go in and cull out duplication and waste that we see in duplicating efforts." He added the strategy will be open for public comment from agencies and industry, whether this is right approach and what areas should be targeted for shared services. VanRoekel said OMB believes commodity IT such as email and procurement of technology provide the biggest opportunity for shared services.

RELATED STORIES:

Federal CIO VanRoekel details his 'first' priorities

FedRAMP cloud security memo makes it past OMB director's review

OMB pressing agencies to get IT projects on track

IT reforms moving to optimization stage