News Stay informed about the latest enterprise technology news and product updates.

Security expert: FedRAMP cloud security standard not yet fully baked

The CEO of a FedRAMP 3PAO warned of the limitations of the FedRAMP cloud security standard when using it to assess cloud security.

CHICAGO -- All cloud service providers working with the U.S. federal government must comply with FedRAMP by June...

2014, but according to the CEO of a FedRAMP-certified third-party assessment organization, numerous unresolved issues with FedRAMP and enterprise cloud security frameworks may hinder compliance efforts.

Image: Sergey Nivens - Fotolia

The U.S. government-backed Federal Risk and Authorization Management Program (FedRAMP) aims to provide a standard approach to cloud security assessments across federal agencies, with the ultimate goal being the reduction of duplicate efforts. Many organizations considering purchasing cloud services have also looked to the FedRAMP initiative as a possible benchmark for their own cloud security assessments.

Still, there are several unanswered questions, as well as unforeseen questions, related to cloud security that FedRAMP has yet to address in an adequate manner, according to Maria Horton, CEO of Reston, Va.-based security consulting firm EmeSec Inc., and who presented on the topic Wednesday at the 2013 (ISC)2 Security Congress.

"What we are seeing is that there aren't any FedRAMP lessons learned yet," Horton cautioned. "Even as a FedRAMP 3PAO [third-party assessment organization], our lessons are very anecdotal evidence."

As an example FedRAMP compliance pain point, Horton pointed to cloud service-level agreements (SLAs). When simply purchasing cloud services from a single provider, organizations can insert requirements related to uptime with little issue. As "cloud-in-a-cloud" and compounded SLAs emerge, a simple uptime requirement won't be sufficient in a scenario where downtime happens and two contracted cloud providers are pointing fingers at each other over which is responsible. Horton compared the situation to the transition from legacy to open source systems when there were many "awkward handoffs."

There are no clear security standards today with cloud providers. You have to make your own.

Maria Horton,
CEO, EmeSec Inc.

"We're going to need a whole new set of metrics," she noted.

Even if a cloud service provider is FedRAMP-certified, some customization is usually required to fit the needs of any particular customer organization. Horton pointed to enterprises that have run into trouble buying services from FedRAMP-certified providers, but the specific services purchased "may be different from what was 'FedRAMPed.'"

Because of the ongoing need for a customization process, Horton said organizations can't rely on a single standard when assessing cloud service security.

"There are no clear security standards today with cloud providers," she added. "You have to make your own. How are you addressing the security controls and carving out what is unique about your managed service?"

Russell Jones, an (ISC)2 Security Congress attendee who works in a compliance-based role with U.S. Bank, said he attended the session to see if federal agencies had "anything new to share" in terms of compliance strategies. He said he came away with a better idea of how to work with cloud service providers and manage the outsourcing process.

Regardless of whether FedRAMP is used to guide cloud assessments, Horton reminded information security professionals in attendance that they also need to decide where cloud (and mobility) will fall within their own internal security frameworks. Horton said organizations could either work up a separate cloud security policy, which would hold the advantage of being able to address specific cloud controls and business practices, or cloud security could be folded into a single organizational security policy, which would provide a greater level of consistency in terms of security program governance. Over the long term, Horton foresees so many traditional IT processes being offloaded to the cloud that enterprises will eventually revert to one unified policy anyway.

Even after highlighting some potential pitfalls with FedRAMP, Horton praised the FedRAMP guidelines as being an "innovative" approach to cloud security and anticipates seeing how the "last mile" unfolds over the next year or two.

"I'm looking forward to [seeing] how these documents are all going to come together to create a true risk management framework," Horton said. "I think for security professionals, there will need to be some vision and thought … to make sure your risk management framework is appropriate."

Essential Guide

Breaking down what's in your cloud SLA

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

As a CSP currently in FedRAMP, all I can say is that FedRAMP is extremely well organized and is a pioneering cloud computing (truly secure cloud computing) for the world.

Be careful what you read in the news and look for guidance from those 3PAOs who have "actually" gotten Cloud Service Providers through the process to ATO. Ignore everything else.

FedRAMP wasn't meant to be a cookie cutter process where you receive an instruction set on how to build your architecture and along with fully populated documentation templates. They have close to 300 controls and the "CSP" must determine how to meet those controls - not the government.

My apologies, but I just don't agree with the premise of this article or Horton's statements in general.
I read through this article and found Ms Norton’s view to be interesting. However, it reeks a little of the "we need a one-size-fits-all solution." She comments on "What we are seeing is that there aren't any FedRAMP lessons learned yet." To this I would answer that the program is only now reaching full operational capability (FOC) and there have not been sufficient assessments completed to provide a bunch of "lessons learned."

Another area where Ms Horton shows the limited information assurance knowledge is in the area customization of the cloud service for the customer. She says that "specific services purchased may be different from what was 'FedRAMPed.'" She is showing that she has no understanding of the fact that the Approving Authority for the client seeking an ATO to use their cloud services solution must take the FedRAMP provided provisional-authority to operate (P-ATO) and evaluate the additional client requirements and deliver a determination of their organizational ATO.

I believe she is also wrong when she says, "Because of the ongoing need for a customization process, organizations can't rely on a single standard when accessing cloud service security." The assessment and resulting P-ATO will not change from one client to the next. The only change is in the clients requirements. Because these requirements will often change the baseline assessment the client's Approving Authority must take this into consideration when determining the final authority to operate.

Ms Norton has lost sight of the fact that the P-ATO is very much like a "type" accreditation under DIACAP. It is the baseline of a system based on a given configuration at a specific time. These "type" accreditations are created for the use of a specific system type (in this case cloud services in the form of Infrastructure as a Service [IaaS]; Platform as a Service [PaaS]; or Software as a Service [SaaS]) at many locations (in this case used by many clients) and accredited by the client Approving Authority.

Finally Ms Norton stated that, "There are no clear security standards today with cloud providers." I would be willing to bet that Maria Roat, Director of FedRAMP would disagree. I know that I do. The standards are FISMA; NIST SP 800 series documents; FIPS 199 and 200. So this looks a little like Ms Norton may not have the skill set and experience for this work.