recommended reading

Get ready to push some paper for cloud moves

A critical part of a fast-track strategy that allows agencies to digitally borrow each other's cloud security guarantees will not be available when the operation gets under way this summer, federal officials told Nextgov.

The mantra of the new effort, called the Federal Risk and Authorization Management Program, or FedRAMP, is "Do once; use many times," meaning a department can go through the arguably arduous process of authorizing a Web-based service and then many other departments can sponge off that work to deploy the tool more quickly. The General Services Administration, which manages the program, plans for the certifications to be accessible through a central online clearinghouse.

But there are fears that a database containing vulnerability assessments for the entire federal cloud could be an attractive target for hackers, GSA officials acknowledge.

"It's largely going to be a paper-based process at the beginning because we won't have the bandwidth up in time," GSA Associate Administrator Dave McClure said in an interview. Independent auditors are scheduled to start generating the FedRAMP assessments in June.

Currently, government contractors, including Microsoft, often hand deliver assessments out of caution. McClure said officials have not built the repository yet, but based on feedback from agencies and cloud service providers they know access constraints will factor into the construction.

While agencies may not have instantaneous access to product certifications, vendors are expected to obtain contractual materials earlier than ever before.

Typically, suppliers are not privy to the work requirements for an information technology project before they ink a deal. But, the purpose of FedRAMP is to provide companies with consistency and transparency, officials say. Contract templates, guidance and requirements will be publicly available on the Internet, according to the Office of Management and Budget.

"These are thing that many cloud service providers don't get until they sign a contract," FedRAMP program manager Matthew Goodrich said during a Wednesday afternoon briefing for interested service companies and auditors.

GSA started embracing the new openness on Friday by releasing a blanket set of about 170 controls that are supposed to help manage the risks associated with outsourcing federal operations to the Internet.

Companies will know in advance about thorny issues such as, perhaps, citizenship requirements for contractor personnel and restrictions on the location of computer rooms, said Susie Adams, chief technology officer for Microsoft Federal. Adams was attending Wednesday's briefing, which was standing room only and took place less than a month after a similarly packed FedRAMP industry session.

"We're trying to make as much known beforehand, so you know what you're getting into," Goodrich said.

Many unknowns remain, however, in this unprecedented process.

Vendors are particularly eager to learn the rules for "continuous monitoring" of threats in the cloud, an environment where federal managers have little oversight. Currently, all agencies are expected to report on antivirus updates, remote logins and other vulnerabilities by pulling live data feeds from every IT asset into a central Homeland Security Department inbox, called Cyberscope.

"Continuous monitoring is an area that is definitely evolving . . . particularly the real-time reporting by the cloud service provider to the government," McClure said at the briefing. But the FedRAMP monitoring criteria will match up with existing continuous monitoring standards, he said, adding, "we are not doing anything new."

The Obama administration is trying to shift about 20 percent of the government's $80 billion annual IT bill from in-house systems to cloud services. Conducting back-office work virtually through server space and software maintained by third parties is anticipated to save about $5 billion yearly.

But translating security procedures for the cloud province will take time, both vendors and FedRAMP program managers say.

"We're looking at a couple-year effort to get this to where they see the true benefit," Adams said.

McClure told contractors in attendance, "The true test will be when you see agencies start to leverage authorizations of other agencies."

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.