Feds Roll Out Cloud Security GuidelinesFeds Roll Out Cloud Security Guidelines

Inside DHS' Classified Cyber-Coordination Headquarters

The federal government Tuesday afternoon released draft plans for a program to ensure cloud services meet federal cybersecurity guidelines, which should help shore up lingering government concerns about cloud security and accelerate adoption of the technology.

The government expects the program, the Federal Risk and Authorization Management Program (FedRAMP), to be operational by the first quarter of 2011. Through the voluntary program, developed with cross-government and industry support over the last 18 months, cloud services would go through a standardized security accreditation and certification process, and any authorization could then be leveraged by other agencies. "By simplifying how agencies procure cloud computing solutions, we are paving the way for more cost-effective and energy-efficient service delivery for the public, while reducing the federal government's data center footprint." federal CIO Vivek Kundra said in a statement.

The Obama administration has been pushing federal agencies to adopt cloud computing to help save the government money, with Kundra and other top officials championing the technology and instituting policies, such as data center consolidation requirements, that could help spark a shift to the cloud. However, federal IT managers have consistently raised security concerns as the biggest perceived barrier to adoption.

The debate over cloud security recently reached a boil in some government quarters. Google sued the Department of Interior last month for favoring Microsoft's cloud email service in a proposed acquisition. In the suit, Google claims that the agency's CTO told it that its product wasn't compliant with agency security requirements, but the agency then declined to provide those security requirements.

In addition to inconsistent requirements and fears about who controls the underlying data, the government's security concerns arise in part because cloud computing is a new paradigm that must be shoehorned into the security requirements of regulations like the Federal Information Management Security Act, which governs federal cybersecurity for most of government. FedRAMP achieves that by mapping out the baseline required security controls for cloud systems, and thus creating a consistent set of security guidelines for cloud computing.

FedRAMP also aims to eliminate a duplicative, costly process to certify and accredit applications. In the past, each agency would typically take apps and services through their own accreditation process. However, in the shared-infrastructure environment of the cloud, such a process is redundant, and FedRAMP allows services to be accredited once and have that accreditation leveraged by all government agencies.

The FedRAMP draft includes three major pieces: a set of cloud computing security baseline requirements; a process to continuously monitor cloud security; and a description of proposed operational approaches to authorizing and assessing cloud-based systems. The new program will be used for both private and public cloud services and perhaps eventually for non-cloud computing information technologies. Products are already beginning the process toward FedRAMP certification -- for example, two agencies have informed IBM of their intent to sponsor certification of Big Blue's new Federal Community Cloud services.

Commercial vendors won't be able to directly request FedRAMP authorization; instead, they must rely on the sponsorship of a federal agency that plans to use their cloud services. It appears the government anticipates a swarm of interest, as guidance on the CIO Council's website suggests, FedRAMP "may not have the resources to accommodate all requests initially" and that GSA will focus on systems with potentially large user bases or cross-government interest.

The program will continue to be an inter-agency effort under federal Kundra's authority, to be managed by GSA. A new organization, the Joint Authorization Board, which today includes reps from GSA, the Department of Homeland Security, and the Department of Defense, will, along with the sponsoring agency, authorize the systems that go through the process.

FedRAMP isn't by any means a panacea. As the draft recognizes, security calculations in the deployment of cloud services are made not just on the basis of accreditations alone, but are risk management assessments that require input from stakeholders. In addition, while FedRAMP provides a base accreditation, many agencies have security requirements that go beyond FISMA and, thus, may have to do additional work on top of the FedRAMP certification to ensure the cloud services they're looking to deploy meet their individual agency requirements.

Furthermore, some government officials and members of industry have expressed concern that the program's voluntary nature may make uptake slower than if the program had been mandated.

While FedRamp is still in draft form, industry, government and members of the public can submit targeted comments on FedRAMP via a Webform that's itself built on software as a service in Google Docs. Comments are due before Dec. 3. After the comment period ends, an inter-governmental "joint tiger team" will assess the comments for inclusion into the final FedRAMP guidance.