FedRAMP is one step closer to becoming a reality. The General Services Administration, the Defense Department and Homeland Security Department sent the final policy memo to the Office of Management and Budget for review in September.
Dave McClure, GSA’s associate administrator in the Office of Citizen Services and Innovative Technologies, said today the cloud computing security standards are ready to go and now it’s just a matter of finalizing the policy memo for FedRAMP to kick off.
But McClure cautioned the cloud security process will not meet full operational capability until about a year after OMB signs out the final policy memo.
“This is not going to be as easy as we like out of the gate,” McClure said during a presentation at the Information Security and Privacy Advisory Board meeting in Washington. “There will be a lot of learning and we will do assessments to make sure we are meeting the government’s needs.”
McClure said once OMB makes the policy public — which it has promised to do since early 2011 — FedRAMP will release a flood of documents describing the concept of operations, security controls, including continuous monitoring requirements, the notice for independent companies to become third-party accreditors of cloud services, the conformity assessment model and continuous monitoring controls.
“This is a brand new space for the government and industry,” he said. “We have to do it right, but it will be slower than many want it to be.”
McClure said FedRAMP will be rolled out in phases. Under the initial operating capability, FedRAMP’s Joint Advisory Board (JAB) and the program management office will focus on getting enterprisewide services that every agency can use, such as email, through the process.
“This is a segmented roll out,” he said. “We are constraining the cloud solutions that will go into it so we can kick the tires and see how it works. We’ve worked on this for a long time, but we want to be sure it meets everyone’s needs.”
One key piece to FedRAMP that will roll out quickly will be naming third party assessment organizations (3PAOs), which will review vendors cloud products and services to ensure they meet the security standards. McClure said he hopes to publish the application for third party accreditors within 30 days of OMB issuing the final policy memo.
“The third party assessment process will be based on the same process as NIST used for health IT accreditors,” McClure said. “We want to make sure the accreditors are compliant with ISO standard 17020:1998. Their management system must be compliant with the standard as well as their quality system manual, and we wanting to be sure they demonstrate technical capabilities.”
McClure said the accreditors either have to have past performance or perform a test accreditation for FedRAMP.
For the first year, GSA and NIST will approve the third party accreditors, but eventually an independent board will take over that role.
The 3PAOs will provide the JAB, which includes the chief information officers from DHS, DoD and GSA, with recommendations. The JAB then will give the vendor provisional authority to operate.
McClure said the agency buying the services has to give the vendor full authority to operate.
The second phase of FedRAMP will include full operational capabilities where more products and services go through the process. And finally, McClure said phase three is sustainability.
McClure said one remaining challenge is around where the data resides-in the U.S. only or anywhere in the world. He said agencies need to separate the cybersecurity issue from the legal and acquisition issues in this debate.
“Agencies have to answer the question themselves by looking at the sensitivities of the data,” he said. “There can’t be a one-size fits all approach.”
McClure said FedRAMP plans a broad communications and outreach effort to make sure vendors and agencies understand how the process works.