As agencies face an impending deadline to implement the current set of cloud security standards, the next version already is under development.
The General Services Administration and the Defense and Homeland Security departments are kicking off Federal Risk Authorization and Management Program (FedRAMP) 2.0 by incorporating new cyber requirements from the National Institute of Standards and Technology Special Publication 800-53, Rev 4. NIST released the latest version of the privacy and computer security controls for federal information systems in April 2013.
“We will have that come out at some point in the next two or three months, probably sooner, but I like to under promise and over deliver,” said Matt Goodrich, GSA’s program manager for FedRAMP, at the Intel Security Innovation Summit in Washington Wednesday. “You’ll see our new baseline come out, and we’ll have our transition strategy come out in the next few weeks of what that will look like. But essentially with that baseline, we will take the same approach as we did when we launched FedRAMP, which was we put it out for public comments. We took it back with public comments to the JAB teams and looked at those public comments and looked where the baseline should be, and we had a new baseline. We are taking a lot of that into consideration, particularly a lot of those lessons learned over the last two years since the FedRAMP baseline was originally published.”
Goodrich said the Joint Authorization Board (JAB) will consider what should be added and what shouldn’t be in the baseline any longer.
Scott Renda, an Office of Management and Budget policy analyst, said one of the best attributes of FedRAMP is its flexibility. Renda, who is the portfolio manager for cloud computing at OMB, said if the government decides on new cyber requirements or if several agencies are adding similar security controls to their own version of FedRAMP, the governmentwide baseline isn’t hard to update.
Military only ones to add to baseline
So far over the first two years, only DoD has added additional controls to the FedRAMP baseline.
Goodrich said the program management office hasn’t heard from any other agencies which are following DoD’s lead.
Scott Toulsey, the deputy director of the Cyber Security Division at the Science and Technology Directorate at DHS, said agencies should be aware of a few challenges before adding new controls.
“I know DHS is looking at some additional controls, but it’s a little bit like the iceberg problem — you can think about additional controls to add above the water line, but we’ve all got lots of work executing the existing controls at a 99.9 percent level, not at an 80 percent level,” he said. “We still get hit all too often with old, well-known problems that were not picked up for all sorts of typical reasons.”
Goodrich said it’s important to remind vendors and agencies that FedRAMP’s goal was not to update or change the Federal Information Security Management Act (FISMA), but just to offer some transparency and consistency to the process. He said agencies don’t need to add new controls to FedRAMP unless they would have added more controls to FISMA.
DoD decided to add more controls to certain aspects of FedRAMP.
Teri Takai, the DoD chief information officer, clarified comments she made at a recent NIST conference about the path DoD is taking for cloud security.
“As it relates to data classifications, because that’s actually the way we look at the need for what standards. For data classification levels 1 and 2, we are following the NIST standards,” Takai said in an interview after her speech at the conference. “So when you come in to become qualified to be a DoD cloud provider through the Defense Information Systems Agency cloud broker, we actually are using the FedRAMP standards. We do not have a set of developed standards that are exclusively DoD.”
For higher data classification levels that FedRAMP hasn’t certified yet, DoD does have an additional set of standards on top of the governmentwide baseline, she said.
“As FedRAMP begins to look at classified information and begins to look at the standards, we actually are inputting to FedRAMP what our second level of standards are, and they’re looking at incorporating that into the standard FedRAMP,” Takai said. “The idea is over time we would not have any additional or separate set. We all would be using the FedRAMP standards for all levels of classification of information.”
Takai said DoD has no desire to go off the FedRAMP standards and do something different.
Alignment with other cyber programs unclear
DISA recently approved four cloud services for its broker program: Amazon’s GovCloud, CGI and Autonomic Resources. Amazon received two approvals for its clouds in the eastern part of the country and western part of the country.
DISA also now is part of the Joint Authorization Board under FedRAMP to ensure there is better coordination between DoD and civilian agency cloud security experts.
While the JAB is working on the update to the baseline, agencies have until June 30 for all of its cloud services to be approved under version 1.0 of the FedRAMP baseline, or at least be in the approval process.
What still needs to be clarified, however, is how these new FedRAMP standards will incorporate initiatives such as continuous monitoring or identity management.
That is a common concern among CIOs and others in the federal technology community.
DHS is moving forward with implementing the continuous diagnostics and mitigation (CDM) program across government, and FedRAMP is in close coordination.
But there are two other parts of the cross-agency priority goal for cyber — the Trusted Internet Connections and Homeland Security Presidential Directive-12 (HSPD-12), and how they fit into FedRAMP, needs to be addressed.
OMB’s Renda said several of the policies that support those cyber initiatives are old and may need updating.
“Cloud changes the way we buy technology — buying as a service, not as a good. I think as we move through this fiscal year and next fiscal year, we are definitely thinking about…what buying IT as a service means for the suite of security policies,” he said. “I can’t speak to what’s coming out. But we are aware of it. We are talking to people and thinking about those issues as we look into the range of the fiscal year.”
Phase 3 includes cloud
GSA’s Goodrich said the JAB is working with DHS to ensure the CDM program is moving in the same direction as FedRAMP. Phase 3 of the CDM program includes cloud.
In fact, Goodrich said, he’s hosting executives in the CDM program office Friday to meet with some FedRAMP vendors.
“CDM is focused solely on government assets right now. I think there are five phases of CDM, and they’ve only started phase one and are about to start phase 2. All the capabilities of the five capabilities in phase one that have come out, FedRAMP already requires of our cloud service providers,” he said. “CDM, from my perspective, is trying to make sure all government assets, government data centers have certain capabilities around it to do appropriate security.”
Goodrich added the big issue where CDM and FedRAMP will come together around policy and privacy issues.
“We’ve got to work through all of that in the future,” he said. “In terms of capabilities, we work very closely with them to make sure whatever is going to go out for government data centers and government requirements, FedRAMP will always require that too. I know their phase 3 revolves around cloud. We will make sure we are closely aligned with them. We already are talking to them about it. I don’t know how they will necessarily overlap, as much as we will make sure we are doing the same type of requirements as we move forward as they do.”
Beyond CDM, there is less clarity around TIC and HSPD-12. Renda said OMB is aware of this, but he made no commitment to how the administration will solve these challenges.