Feds Enhancing Cloud Security Vetting Process
'FedRAMP Forward' Aims to Hasten Pace of Security ApprovalsSeeking to boost participation by federal agencies and cloud-service providers in the security vetting program known as FedRAMP, the General Services Administration has issued a two-year roadmap aimed at improving and enhancing the initiative.
See Also: Unit 42 Cloud Threat Report, Volume 7
GSA unveiled on Dec. 17 FedRAMP Forward, an initiative it says will allow the FedRAMP cloud services security vetting process to happen faster and with fewer hurdles. The initiative is also designed to be adapted as a result of the evolving cybersecurity landscape.
FedRAMP Director Matt Goodrich says the roadmap process also should help GSA, which administers the Federal Risk and Authorization Management Program, gain a better understanding on how the program is used. "We really need to understand who's using it so we can establish better metrics [and] ... really understand that the total depth of cloud use across the federal landscape."
A guiding principle of FedRAMP, launched in June 2012, is that one agency could piggyback on the work performed by another to assess the security furnished by cloud service providers. "Do once, use many times" is FedRAMP's mantra.
Top Objectives
One of the chief goals of the roadmap is to get federal departments and agencies to collaborate more on establishing criteria to vet the security furnished by cloud service providers. To achieve that objective, according to the roadmap, the program management office will launch working groups to give agencies a forum for collaboration as they work through FedRAMP assessments, authorizations and continuous monitoring of cloud providers.
"The FedRAMP project management office is trying to make sure that it's working with agencies to help them form collaborative working groups, and possibly identifying opportunities where one can do assessment and others can leverage and vice versa," says Dave McClure, who led the development of FedRAMP. In September, he became chief strategist at Veris Group, an IT security advisory company that provides third-party assessments of cloud providers. "It's not one agency doing the work of the entire government. It's trying to figure out who is well equipped and positioned and has resources for specific types of cloud solutions, and other agencies piggyback and leverage off of that work."
Dave McClure discusses the role of federal CISOs in the FedRAMP process.
The roadmap identifies nine objectives, such as enhancing consistency and quality of third-party assessments organizations, re-using industry standards to assess and authorize cloud providers and improve the understanding among agencies and providers of FedRAMP itself. The roadmap provides six-month, 12-month, 18-month and 24-month outcomes for each of the objectives, although not every objective will have an outcome for each period. The federal government requires agencies to use FedRAMP in their selection of cloud service providers.
Take, for instance, the timeline for the goal of establishing a flexible framework for data and workflow management:
- Month 6: Identify existing workflow tools, control automation and document automation capabilities;
- Month 12: Demonstrate automated tools and processes used to document processes and assess the performance of cloud service providers;
- Month 18: Publish draft requirements for automation of FedRAMP documentation; and
- Month 24: Finalize automation requirements for FedRAMP documentation.
Government-Industry Alignment
Another objective of the roadmap is to align federal government and industry standards to assess cloud security. McClure explains that's important, not only to drive efficiencies, but because the private sector is looking at FedRAMP as a standard they can deploy to vet their cloud providers in the same manner as businesses adopt IT security guidance developed by the National Institute of Standards and Technology for government agencies.
Companies in healthcare, energy, finance and retail are very interested in learning how to use a baseline set of standards such as FedRAMP to make their cloud-services approval process rigorous and efficient, he says. "A lot of firms are reaching over into the FedRAMP process and borrowing from it in order to make themselves compliant as well as comfortable that they actually got very effective solutions in place," McClure says.
In addition, he says, if federal government and industry standards for vetting the security of cloud providers can be aligned, it would make it easier - and eventually less costly - for the providers to offer their services.
GSA says nearly every federal agency is participating in FedRAMP, although not all cloud computing implementations have gone through its FedRAMP vetting process. The agency says more than 50 cloud service providers are engaged in FedRAMP, though only 27 providers have so far qualified as cloud service providers; the others are going through the authorization process.
The FedRAMP program management office has accredited 31 third-party assessment organizations, or 3PAOs, that conduct audits on cloud providers to assure they offer appropriate security. A conservative estimate of $40 million in cost savings has been achieved with less than $13 million invested in FedRAMP creation, GSA says.