NATIONAL HARBOR, Md. – The U.S. federal government's new effort to streamline cloud provider security evaluations has been live for just a few days, but the official overseeing the program said the next major piece of the program is just a few weeks away from release.
Speaking Monday at the 2012 Gartner Security & Risk Management Summit, David McClure, associate administrator of the General Services Administration's Office of Citizen Services and Communication, offered a comprehensive update on the Federal Risk and Authorization Management Program. More commonly known as FedRAMP, it's an initiative to standardize the security requirements that cloud computing service providers must meet to be eligible to win contracts with government agencies.
Announced last year and developed jointly by the GSA, Department of Defense and Department of Homeland Security, and in consultation with several other government entities including NIST, FedRAMP is intended to be an on-ramp to help government organizations speed up their drive toward cloud computing, specifically by reducing the time and cost of cloud provider security assessments.
Based in part on the oft-maligned Federal Information Security Management Act or FISMA, -- which McClure called "sometimes a very flawed process" -- FedRAMP does nothing to lower the security standards of the federal government, he said.
"I'd argue that because of the uniformity of the need for cloud security, and the agreement on baseline testing and continuous monitoring, we're probably enhancing the security posture of the government overall,” McClure said.
FedRAMP officially began last week, as the program was deemed ready to accept applications from cloud providers seeking FedRAMP authorizations. GSA officials have previously stated their hope to have at least three FedRAMP-authorized cloud providers by year's end.
"In three days [since the launch], the number of applications coming in from cloud service providers has doubled almost every day," McClure said in regard to providers seeking the FedRAMP certification. "The interest is huge."
FedRAMP, McClure said, was designed with four key objectives in mind: develop a set of baseline security controls for cloud computing; validate a set of trusted third-party assessment organizations (3PAOs); establish trust in the program using a Joint Authorization Board to ensure each agency's cloud provider assessments meet FedRAMP standards; and finally, facilitate the transition to continuous security monitoring for government cloud computing implementations.
While the core of FedRAMP addresses the first three objectives, guidelines for continuous cloud monitoring have not yet been released. However, McClure indicated that effort is in its final stages, and guidance will be released within 60 days.
"We know there's going to be a balancing act between static controls testing, operational, managerial and technical, and we need to look at advanced persistent threats and ongoing vulnerabilities that occur almost in real time," McClure said. "What you'll see shortly is a revised continuous monitoring program that will be game-changing and will be key to obtaining services."
He said developmental oversight of the continuous monitoring guidelines is taking place within the DHS National Protection and Programs Directorate and is led by Deputy Under Secretary for Cybersecurity Mark Weatherford.
Some security experts have criticized FedRAMP, saying it does not mandate the use of common security configurations and isn't specific enough in a variety of areas. In turn, some speculate that government organizations may demand additional security requirements from cloud providers, negating FedRAMP's effectiveness.
McClure admitted FedRAMP's baseline set of controls will not be sufficient for all agencies and all scenarios, and that many will add controls that are unique to their environments or implementations. Still, he expressed confidence that the program will eventually achieve between 60%-80% reuse, in which an agency contracts with a cloud provider whose security assessment was performed by a different agency.
"If we can instill this trust level across the government, we will not only decrease the cycle time for the assessment process, but we'll also reduce the cost by 20%-50%," McClure said. "An assessment can cost up to $1 million based on size, scale and length of time. If we can reduce that, it provides a much faster entry ramp than what was possible before."
Robert C. Richardson IV, chair of the IS/Security Accreditation Working Group of the Defense Information Systems Agency -- speaking regarding his own opinions and not on behalf of DISA -- said he is optimistic about FedRAMP's prospects for success. He said the fact that the Office of Management and Budget (OMB) threw its weight behind the program was a strong incentive for other agencies to get involved.
"It's good; it's moving fast and they're taking the right approach. They're not imposing standards,” Richardson said. “They're offering recommendations and incorporating all the right players" within key government agencies, he added.
Regarding whether agencies would trust each other's cloud provider validations, Richardson said they would because they're being forced to; smaller agencies with limited budgets often can't afford their own independent cloud provider assessments.