Industry experts and cloud service providers are hopeful about the prospects of a new federal program that sets cloud computing security standards, but they also note some potential pitfalls.
The Obama Administration last month launched the Federal Risk and Authorization Management Program (FedRAMP), which sets a standard approach for assessing the security of cloud services and products against a baseline of controls. The goal is to cut the cost and time spent on redundant agency security assessments and cloud authorizations.
“What it is going to do is provide government agencies and organizations with an easier way of acquiring public and private cloud computing authorizations, which means they can start using cloud a lot easier than they could have through the older FISMA process,” said Dan Philpott, a federal information security specialist and member of the Cloud Security Alliance.
Under FedRAMP, a cloud service provider goes through authorization with one agency and other agencies can leverage that authorization. If an agency has additional requirements, then only the delta between the baseline and those specific requirements needs to be addressed, which provides a more economical model for security, he said.
The “do once, use many times” approach promised by FedRAMP will save both government and industry a lot of money by cutting down on the number of certifications – provided it truly happens, said Jennifer Kerber, vice president for federal and homeland security policy at TechAmerica, a Washington, D.C.-based industry advocacy organization.
The problem will be if a growing number of federal agencies tack on additional requirements to a provider’s certification, she said. “If no one really accepts it and it’s all FedRAMP ‘plus,’ then you have to pay all this extra to get certified, I’m not sure it’s worth it.”
Alan Paller, director of research at the SANS Institute, is highly critical of FedRAMP, which he views as a lost opportunity.
“FedRAMP could have been the breakthrough that enabled the government to lead by example in cybersecurity -- demonstrating how to do it right,” he said in an email. “FedRAMP provided that opportunity because it has the leverage of contracting -- no company could provide FedRAMP services if they did not meet FedRAMP security rules so had they done the right rules they could have radically improved security and lowered the cost of effective security.”
But officials missed that opportunity by providing guidance that did not require six measures known to provide effective security, including using common security configurations and implementing daily continuous monitoring and mitigation, Paller said. “Instead, the guidance called for people to write reports that could easily be written without effectively implementing any of the six [measures]. It's a throwback to FISMA at its worst and it is inexcusable,” he said.
White House officials expect FedRAMP to be operational by June after they complete a number of steps, including publishing the security controls, a concept of operations and a charter.
This week, they released the security control requirements, which are based NIST Special Publication 800-53 Revision 3 and include controls that address the unique risks associated with cloud computing, such as multi-tenancy and shared resource pooling.
A key component of FedRAMP are third-party assessment organizations (3PAOs), which will assess cloud providers’ implementation of the security requirements. The FedRAMP program management office plans to publish an initial list of FedRAMP accredited 3PAOs in the second quarter.
In response to criticism that FedRAMP will be a report-based compliance program that doesn’t implement effective security, a FedRAMP program office spokesperson said in an email that FedRAMP will assess and authorize cloud solutions based on implementation of the NIST SP 800-53 security controls and independent validation by an accredited 3PAO. “Once these cloud solutions are assessed and authorized, FedRAMP will coordinate the continuous monitoring activities with federal agencies and DHS, with a focus on real-time data and automation, giving agencies a better ability to view the risk posture of a cloud solution in near real time,” the spokesperson said.
Philpott said having accredited third-party assessors will make it easier for agencies and cloud service providers to know who truly has the technical expertise to evaluate cloud security. He welcomed the final release of the FedRAMP security controls, which he said the CSA plans to quickly adapt to its Cloud Controls Matrix to help the cloud computing industry adopt them.
Falls Church, Va.-based CSC is well prepared for FedRAMP after taking its cloud services through a federal certification and accreditation process, said Yogesh Khanna, North American public sector chief technology officer at CSC. The technology provider recently deployed IaaS and a cloud-based service for development and testing for DHS, he said.
“We’ve gone through the wickets with DHS, taking our system through a pretty comprehensive C&A process,” he said. “We understand the 800-53 goals. … I feel as a company and one that is a strategic partner of one of the leading federal agencies playing a significant role in FedRAMP, we have a lot of experience already under our belt.”
Khanna said FedRAMP will benefit service providers, vendors and cloud customers by providing a benchmark for cloud computing security standards. “You’re letting go of some level of control as a cloud consumer. Unless there’s some industry standards and third parties reviewing it, we’ll always be stuck in a mode where people use security as a barrier,” he said.
Potential FedRAMP issues
While optimistic about FedRAMP, Khanna said he hopes federal officials are prepared to handle the volume of demand the program may generate. “Right out of the gates, they don’t want to create an impression that they’re a stodgy bureaucracy,” he said.
Cloud service providers have a role in the program’s success by making sure they have polished packages that are ready for evaluation, but he would have liked to have seen some commitment to a time limit for FedRAMP’s governing agency to review a cloud service that’s been approved by a 3PAO.
“What we can’t have – and we have a role to play to make sure this doesn’t happen – is the traffic being so great and the staff at FedRAMP not being adequately situated to handle the traffic, creating the perception that things go into the FedRAMP office and nothing comes out,” Khanna said.
Philpott said he sees a potential issue with how a federal initiative, Trusted Internet Connections (TIC), will work under FedRAMP. TIC requires that agencies limit the number of Internet connections they operate, and that traffic be routed so DHS can monitor it for security threats. Routing network traffic to meet the requirements of TIC may not be feasible under some cloud service models, Philpott said.
Overall, though, the baseline of cloud computing security standards established by FedRAMP has the potential to improve cloud security, Philpott said. Commercial customers will be able to ask cloud providers to provide the same security they provide the government.
“A lot of cloud providers are very security conscious. Not all of them, but most of the major ones are,” he said. “We hope and expect this is going to provide a level playing field.”