The FedRAMP cloud security initiative took another step towards its goal of becoming operational in June with the recent announcement of approved third-party assessment organizations (3PAOs). Launched by the Obama administration in December, the Federal Risk and Authorization Management Program (FedRAMP) aims to cut the cost and time spent on agency cloud authorizations by setting a standard approach to cloud security assessments. Dynamic Research Corporation, an Andover, Mass.-based provider of IT solutions to government customers, is one of the newly minted 3PAOs. In this interview, Todd Coen, vice president of DRC’s homeland security solutions division, talks about how his firm will evaluate cloud providers’ security, the FedRAMP process, and the program’s potential impact.
SearchCloudSecurity.com: What will DRC do as a 3PAO? How will you review cloud providers’ security?
Coen: The cloud providers will initiate the process with FedRAMP. They’ll get to a point where they’ll be asked to have a security assessment performed against their security controls. The controls we look at as part of this process are the NIST 800-53 controls; that’s pretty standard across the federal market in terms of how we look at security. We’ll be performing tests against those controls and providing a security assessment report to the cloud service provider, which will take that back to FedRAMP…. FedRAMP will decide whether it wants to grant a provisional ATO [Authority to Operate] to the cloud service provider. Our role is audit and testing to make sure the [cloud provider’s] security meets the expectations against the level of conformity FedRAMP has set out.
SearchCloudSecurity.com: What’s the process to become a 3PAO?
Coen: You need to apply through FedRAMP, but in order to get through the process, you need experience doing assessments and show you have some competency. Along with that goes complying with ISO/IEC 17020:1998 , which [provides for] conformity of assessment standards… That’s the big push -- making sure you’ve done the work, you know how to do these assessments, you’ve met the conformity standards and that FedRAMP deems you capable of performing this work on their behalf.
SearchCloudSecurity.com: What’s next in the FedRAMP process?
Coen: They’re moving into the next stage of operation; they have CONOPS [Concept of Operations] and doing a good job of sticking to it. The next milestone is to start allowing the cloud service providers to apply to become FedRAMP certified cloud providers. June is when that is supposed to start. I assume there will be a series of cloud service providers that have government customers today that want to move quickly to get this certification. I would expect to see some packages move through the process in June with potentially some recommendations to FedRAMP after the 3PAO testing probably late summer or early fall.
SearchCloudSecurity.com: What impact do you think FedRAMP will have?
Coen: If someone asked me the same question two years ago I probably would have said I don’t see the federal government adopting the cloud that fast. I think we’re at the point, in these fiscally constrained times, where federal CIOs are pushing this. Departments like DoD and DHS are really getting on board. I think we’re going to see an uptick in adoption and obviously we know there are some financial tough times ahead for government; this will be a way they can save some costs by moving to these cloud service offerings… One thing that’s expensive in the federal space is the certification and accreditation process; it’s a lot of paperwork and a lot of money and time spent. This is a great opportunity to get out the door with something that’s been approved by the FedRAMP governmental body and someone doesn’t have to spend that money again if they’re willing to accept the FedRAMP ATO [Authority to Operate]. It’s a step in the right direction.
SearchCloudSecurity.com: Do you think FedRAMP will help boost cloud security beyond the federal government?
Coen: It will help. Honestly there are a lot of unknowns on the cloud side. I don’t think anybody can truly say they understand all the vulnerabilities that exist in the cloud offering… FedRAMP has put a stake in the ground and said, ‘We’re going to start here.’ We certainly have high hopes that this works well for cloud service providers and for the government. Security is everyone’s concern; we just keep finding ways to make that better and have more trust of what we can do with the cloud.
SearchCloudSecurity.com: What kind of demand do you think there will be for FedRAMP certification?
Coen: There’s definitely some demand. Even before the 3PAOs were announced, we had conversations with a handful of companies. When they were announced, we got a deluge of calls. Most of the cloud service providers are in that vetting phase…The folks who seem will be the first are ones that have customers in the cloud. There are a handful of cloud service providers that actually have government customers, so this means dollars and cents to them. Others will start feeling their way through the process maybe not as aggressively. I expect we’ll see a steady ramp up through the summer.