Federal agencies are preparing to take another big step on the long road to FedRAMP, the new approve-once, use-many-times approach to security certifications for cloud computing in federal agencies.
By next month, program planners said, they will have approved the first batch of outside organizations who will perform independent assessments to determine whether a given commercial cloud offering meets federal security requirements. The third-party assessment organizations, or 3PAOs, are a key part of the new security approval process, which federal officials believe will lead to faster, more consistent, more efficient security approvals.
“For many, many years, we’ve been approaching computer security in the federal government agency by agency by agency,” said Dave McClure, the General Services Administration’s associate administrator in the Office of Citizen Services and Innovative Technologies. “It’s resulted in a very fragmented and very inefficient approach, one in which the ability to share and work across agency boundaries has been stifled a bit. FedRAMP is our first attempt to really dig into that.” McClure said GSA and the other agencies in charge of planning and managing FedRAMP (Homeland Security, Defense and the National Institute of Standards and Technology) have been trying to take a slow, rolling start to the program to ensure that it works properly and that agency security officials can eventually come to trust it, hence the delay in approving the third-party accreditors-GSA and NIST had originally planned to sign off on the first round of 3PAOs by late March or April.
“It’s a very rigid process using ISO standards and a lot of capability demonstration,” McClure told a gathering of the Association for Federal Information Resource Management Friday in Washington. “The problem we’re solving with that, hopefully, is a consistent and uniform application of the baseline set of security controls. Another plaguing problem in our security world is that even if we agreed on what the controls are, we often see a huge degree of variability in how they’re actually reviewed and implemented and studied by the assessment organizations used in government now.”
Approval by 3PAOs is just the beginning
GSA has set out a list of strict conflict of interest standards to make sure companies who want to be third party accreditors also aren’t involved in developing or delivering cloud computing services.
But the 3PAOs don’t have the final say on whether a commercial cloud product can be used in an agency. Once the independent bodies give their blessing to a cloud offering, it’ll be reviewed by a government body called the Joint Authorization Board (JAB), which is made up of the chief information officers from DoD, DHS and GSA. The JAB then will decide whether or not to issue a provisional approval to operate a cloud system. Even that’s not the final word, though. Agency heads and CIOs still will have the legal responsibility to make sure the systems they decide to use are properly secured, and they’ll be able to add security controls of their own.
But FedRAMP will have done most of the legwork for them, said David Devries, a deputy CIO in the Defense Department.
“For a system, if I’m going to do something in DOD, even if GSA has already gone through a similar package, my final [authority to operate] is about six inches deep. I have that’s six inches for everything that’s going into a cloud. That’s a lot of trucks coming up to the Pentagon to drop those things off so we can review and read them,” he said. “Well now, about two-thirds of that is going to come from a common standard here that’s going to get replicated across the government. I don’t have to pay somebody to reproduce that thing anymore. That’s what I’m reducing.” While FedRAMP should theoretically make it a lot easier for vendors to have their cloud products certified for federal use, not every vendor can expect to have their products go through FedRAMP, McClure said. For one thing, the board that has to handle all those provisional approvals is made up of just three people who already have busy day jobs.
Richard Spires, the DHS CIO, said nonetheless, all cloud providers who work with agencies should start making sure they meet FedRAMP’s 168 baseline controls anyway.
“We don’t know exactly what the demand curve is going to look like, but we expect it to be pretty high for these provisional approvals. That means we’re going to have to prioritize,” he said.
“Governmentwide capabilities and things that are already awarded, like providers who are already on the GSA infrastructure as a service vehicle are pretty much going to go to the head of the line, at least in the beginning. But that doesn’t mean that you can’t work with your agency to move along and get compliant with the baseline standards anyway. And then when you can get that provisional authorization, you’re already essentially done. The JAB doesn’t want to be the bottleneck in the process.”
JAB to release guidance for cloud providers
Spires said the Joint Authorization Board plans to release detailed guidance within the next few months designed to help cloud service providers tailor their products to FedRAMP requirements such as continuous monitoring.
McClure said sharing information about agencies’ security needs is a foundational part of FedRAMP. Much of that information won’t be shared publicly, but it’ll be a big change from not sharing it at all.
“We are going to be creating a secure repository where all of this information is housed and can be shared inside of government, and to a yet-to-be-determined degree with [cloud service providers],” he said. “One of the issues that plagues us in government is that we all do stuff and we never see what each other are doing. So for this program to be successful, not only will we require a standard process to be used, [chief information security officers] across government will have access to the actual security assessment reports and interact with the FedRAMP program office, interact with the cloud providers and streamline this as much as we can so that we can indeed leverage.”
McClure said there will be “hiccups,” particularly in the early stages of the FedRAMP process.
“We know that security officers are still going to have varying interpretations of what controls are acceptable and what additional controls can be used, and whether they can actually leverage a total FedRAMP package or not,” he said. “We know we have to demonstrate the foundational elements of solid evaluation, high degree of trust and the ability to leverage. We are going to have to show the value proposition.”
This story is part of Federal News Radio’s daily Cybersecurity Update. For more cybersecurity news, click here.
Tom Temin is the host of The Federal Drive, which airs from 6-10 a.m. on 1500 AM in the Washington, D.C. region and online everywhere. Tom has 30 years experience in journalism, mostly in technology markets. Before coming to Federal News Radio, he was a long-serving editor-in-chief of Government Computer News and Washington Technology magazines.