White House proposes common security requirements for cloud computing

The Obama administration on Tuesday proposed a common set of security requirements for cloud computing that all federal agencies and contractors could share. The move is intended to expedite the transition to universal Web-based services by eliminating the need for agencies to assess and authorize every information technology product. During the next decade, the White House wants agencies to shift their IT operations to the cloud -- the collective term for software, servers and file storage that users access online on a subscription basis -- instead of managing and owning individual, in-house infrastructures.

The new blanket specifications, referred to as the Federal Risk and Authorization Management Program (FedRAMP), are designed to allow contractors and one agency to evaluate and sign off on security controls and then let every other agency use the same template. "Completing the security assessment and authorization process separately by each customer is redundant," the 90-page proposal stated. A "governmentwide risk and authorization program will promote faster and cost-effective acquisition of cloud computing systems by using an 'authorize once, use many' approach to leveraging security authorizations."

Cloud computing advocates have long said the technology will save money, reduce the government's greenhouse gas emissions and increase productivity. But the main drawback always has been agencies' concerns about losing control of their data in a shared, online pool of information.

Under the guidelines, all the security requirements, processes and forms will be available to every federal agency as well as vendors. The document said this decision epitomizes the administration's commitment to transparency. "Private industry will also finally have the full picture of what a security authorization will entail prior to being in a contractual relationship with an agency," the proposed rules stated.

The General Services Administration on Oct. 19 announced a $76 million agreement with 11 companies, including Amazon, AT&T, Microsoft and Verizon, to offer cloud-based IT infrastructures governmentwide.

"Ensuring data and systems security is one of the biggest and most important challenges for federal agencies moving to the cloud," said David McClure, GSA's associate administrator for citizen services and innovative technologies. "FedRAMP's uniform set of security authorizations can eliminate the need for each agency to conduct duplicative, time-consuming, costly security reviews."

Federal CIO Vivek Kundra, added, "By simplifying how agencies procure cloud computing solutions, we are paving the way for more cost-effective and energy-efficient service delivery for the public while reducing the federal government's data center footprint."

GSA and the Chief Information Officers Council are encouraging the public to comment on the templates, guides, common security requirements and other aspects of the program by Dec. 3.