The final version of cloud cybersecurity standards under the FedRAMP program may not be finished until the fall. But when it is done, the General Services Administration and the National Institute of Standards and Technology are setting up a process for independent third party companies to validate commercial cloud computing providers’ implementation of the FedRAMP requirements.
Ron Ross, NIST’s senior fellow, said Wednesday the program will accredit third party experts to assess security controls of cloud service providers. Ross said NIST and GSA would approve the companies to offer these accreditation services. The independent validation and verification (IV&V) companies would use international standards and be hired by cloud providers.
“The independence is very important to build the trust between all the parties,” he said during a panel discussion at the FOSE trade show, sponsored by 1105 Government Information Group, in Washington.
NIST and GSA’s approach is similar to the one set up to approve product and service vendors under Homeland Security Presidential Directive-12 (HSPD-12). NIST also set up a comparable program for health IT vendors.
“That independence that comes with that third party, a neutral party that can make clear and concise determinations whether people meet any requirements whether its health IT, PIV cards or whatever the thing might be,” he said. “We find this could be used for cloud, but also it can be used for systems in general. So if you are doing an authorization process within your agency, you now will have a list of preferred providers that you can go out there and hire to do those kinds of assessments.”
The third-party certification process should be in place shortly after the final FedRAMP requirements are ready.
NIST will put out an announcement and hold some workshops to get vendors engaged.
“There will be a whole process [a vendor] will go through,” he said. “There will be requirements that will be laid out for the assessment organizations all under international standards, ISO standards. That will be coming out in the near future.”
Ross said several types of companies could provide this work, and those vendors which have done IV&V or certification and accreditation in the past would be candidates to be a third part accreditor.
In the meantime, GSA is trying to make it easier for agencies to buy cloud services through its infrastructure-as-a-service (IaaS) contract.
Dave McClure, GSA’s associate administrator in the Office of Citizen Services and Innovative Technologies, said several of the vendors under the IaaS blanket purchase agreement received the authority to operate (ATO) – meaning they can start offering services under the IaaS contract to agencies.
Eyak Technologies and Horizon Data Center Solutions were the first to receive an ATO July 1. One vendor source, who requested anonymity because they didn’t get approval from their company to speak to the press, said Appitis also received approval, while CGI and CTC are close.
McClure said there are several cloud areas where agency participation will range from dipping their toe into or jumping in with both feet.
Human resources or financial management applications
“Infrastructure-as-a-service and email-as-a-service are beginning to root themselves,” McClure said. “It’s still evolutionary and it’s still in its early stages, but I think we will continue to see a healthy take up of cloud computing. It’s inevitable trends at any one time.”
Along with the effort to create a network of third-party cloud security accreditors, NIST continues to update and evolve its cybersecurity guidance.
Ross said NIST issued a privacy controls appendix to its security controls document (SP 800-53). He said the document elevates privacy controls to the same level as security.
“It consists of a series of privacy controls, based on the federal information practice principles, FIPS,” he said. “It’s our attempt to put some structure and discipline to the requirements that will allow agencies to have, like our security controls, well defined specifications for privacy that can be implemented and then enforce the privacy requirements that are driven from the Privacy Act of 1974, the E-Government Act of 2003 and OMB policy.”
The new appendix builds off the Federal Enterprise Architecture’s privacy profile the goes across all parts of the business, data and other layers.
NIST also will revise SP 800-53 in total later this year. The publication, which details the major security controls for federal systems, will address several emerging and new cyber threats, including the insider threat, Web and email security and security controls for critical infrastructure.
Ross said a draft should be out by September and a final document is expected by December.