Cloud companies planning to apply in June for certification to sell Web services governmentwide will not be obligated to provide automated threat reports, the government’s purchasing agency told Nextgov.
Until now, the Obama administration had expected agencies to outfit all information technology with “continuous monitoring” tools that feed risk indicators, such as unauthorized logins, to the Homeland Security Department.
The Federal Risk and Authorization Management Program, a cloud accreditation process, stipulated that Web-based IT providers supply agencies with these data feeds in a concept of operations released earlier this year.
But officials at the General Services Administration, which manages FedRAMP, are still figuring out how to compel real-time information sharing between private companies and agencies. With cloud computing, departments essentially outsource their IT to a commercial data center over which they have no control.
Despite the absence of guidance on automated surveillance, FedRAMP is anticipated to grant its first certifications by the end of December, GSA and the department’s hired auditors said this week. The program will start accepting applications on June 6. Certified cloud services will be announced on FedRAMP.gov as authorizations are awarded, officials said. Accredited providers will receive directions on marketing their products with a FedRAMP logo and citing the distinction in press releases.
At the outset, companies will report on security controls periodically through manual reporting, GSA officials said. Homeland Security and GSA will provide a detailed roadmap for instituting data feeds, as both FedRAMP and continuous monitoring, in general, mature, they said.
GSA officials explained that while automated real-time reporting is not a must-have, internal real-time monitoring is. Cloud suppliers must constantly track the protection of government assets for their own record-keeping. Reports summarizing this surveillance will be submitted quarterly, bi-annually or annually, as opposed to fed live to the government directly.
GSA Associate Administrator Dave McClure and Mark Weatherford, DHS deputy undersecretary for cybersecurity, are expected to discuss these plans more in depth at a June 13 breakfast co-sponsored by Nextgov’s parent organization Government Executive Media Group and the SANS Institute.
To cut costs and speed a federal shift to the cloud, agencies are supposed to use FedRAMP for verifying the security of cloud purchases. The Office of Management and Budget estimates the government in the past has spent $300 million annually on IT certification and accreditation activities, partly due to redundant assessments. FedRAMP is intended to bring Web services into compliance with a universal set of security standards so that any certified product will be safe for use at all agencies.
Once FedRAMP begins, one of nine GSA-approved, independent auditing bodies named earlier this month will examine whether a prospective service meets the uniform requirements -- once. Then, any agency can reuse the certification to immediately deploy the cloud product without paying for another examination.
Cloud providers owning just a few servers could pass muster within 30 days, according to some of the chosen assessors. Computer racks at technology giants such as Amazon could take up to three months to inspect, unless the company has a dedicated enclave for federal customers, they added.
Competition for FedRAMP logos is expected to be high. “It’s been a week and we’ve gotten a lot of calls and emails from service providers,” said Paul Nguyen, vice president of cyber solutions for auditor Knowledge Consulting Group, estimating the number of inquiries to be about 15.
“This is one of the most public-facing programs for people who want to work with the government -- they all want to be FedRAMP-certified.” Nguyen said his 250-person company should be able to handle the initial interest. More assessors will be added on a rolling basis, GSA officials said.
Cloud vendors are responsible for covering inspection expenses. Fees can range from $20,000 to more than $200,000, depending on the size and complexity of the firm’s computing facility, according to some auditors.
The pace of a review largely will depend on the candidate’s legwork in conforming with up to 300 blanket controls, inspectors predicted.
“It really becomes a question of how prepared the cloud service providers are,” said Todd Coen, vice president of auditor DRC's homeland security solutions division. If a firm is ready to demonstrate compatibility with the safeguards, DRC could compile an assessment packet for the government within two and a half months, he said.
“By the end of summer, early fall, we should definitely start seeing those packages coming,” Coen said.
While cloud providers appear interested in participating, it’s less clear whether all agencies trust the process enough to use it.
“I still think there is a healthy skepticism in the market for cloud in general,” Coen said.
But he noted an interagency panel, the Joint Authorization Board, which signs off on final audited products, includes experts from agencies with high standards, including the Defense Department.
“I don’t think there is anything covert about the fact that they chose folks like DHS and DoD to be the main players on the JAB,” Coen said. “My sense is that if you can get these guys to agree on what would give them the sense that their data would be secure -- that they would want to use these packages. If you can save money when times are very tight, this is a great way to do it.”
Clarification: This story has been updated with newer information and to clarify that internal real-time monitoring is still necessary for cloud service providers seeking government certification.
(Image via SCOTTCHAN /Shutterstock.com)