recommended reading

Clouds don’t need real-time threat reporting tools to win federal stamp of approval


Cloud companies planning to apply in June for certification to sell Web services governmentwide will not be obligated to provide automated threat reports, the government’s purchasing agency told Nextgov.


Until now, the Obama administration had expected agencies to outfit all information technology with “continuous monitoring” tools that feed risk indicators, such as unauthorized logins, to the Homeland Security Department.

The Federal Risk and Authorization Management Program, a cloud accreditation process, stipulated that Web-based IT providers supply agencies with these data feeds in a concept of operations released earlier this year.

But officials at the General Services Administration, which manages FedRAMP, are still figuring out how to compel real-time information sharing between private companies and agencies. With cloud computing, departments essentially outsource their IT to a commercial data center over which they have no control.

Despite the absence of guidance on automated surveillance, FedRAMP is anticipated to grant its first certifications by the end of December, GSA and the department’s hired auditors said this week. The program will start accepting applications on June 6. Certified cloud services will be announced on as authorizations are awarded, officials said. Accredited providers will receive directions on marketing their products with a FedRAMP logo and citing the distinction in press releases.

At the outset, companies will report on security controls periodically through manual reporting, GSA officials said. Homeland Security and GSA will provide a detailed roadmap for instituting data feeds, as both FedRAMP and continuous monitoring, in general, mature, they said.

GSA officials explained that while automated real-time reporting is not a must-have, internal real-time monitoring is. Cloud suppliers must constantly track the protection of government assets for their own record-keeping. Reports summarizing this surveillance will be submitted quarterly, bi-annually or annually, as opposed to fed live to the government directly.

GSA Associate Administrator Dave McClure and Mark Weatherford, DHS deputy undersecretary for cybersecurity, are expected to discuss these plans more in depth at a June 13 breakfast co-sponsored by Nextgov’s parent organization Government Executive Media Group and the SANS Institute.

To cut costs and speed a federal shift to the cloud, agencies are supposed to use FedRAMP for verifying the security of cloud purchases. The Office of Management and Budget estimates the government in the past has spent $300 million annually on IT certification and accreditation activities, partly due to redundant assessments. FedRAMP is intended to bring Web services into compliance with a universal set of security standards so that any certified product will be safe for use at all agencies.

Once FedRAMP begins, one of nine GSA-approved, independent auditing bodies named earlier this month will examine whether a prospective service meets the uniform requirements -- once. Then, any agency can reuse the certification to immediately deploy the cloud product without paying for another examination.

Cloud providers owning just a few servers could pass muster within 30 days, according to some of the chosen assessors. Computer racks at technology giants such as Amazon could take up to three months to inspect, unless the company has a dedicated enclave for federal customers, they added.

Competition for FedRAMP logos is expected to be high. “It’s been a week and we’ve gotten a lot of calls and emails from service providers,” said Paul Nguyen, vice president of cyber solutions for auditor Knowledge Consulting Group, estimating the number of inquiries to be about 15.

“This is one of the most public-facing programs for people who want to work with the government -- they all want to be FedRAMP-certified.” Nguyen said his 250-person company should be able to handle the initial interest. More assessors will be added on a rolling basis, GSA officials said.

Cloud vendors are responsible for covering inspection expenses. Fees can range from $20,000 to more than $200,000, depending on the size and complexity of the firm’s computing facility, according to some auditors.

Several agencies, such as NASA and the Federal Aviation Administration, already are drafting contract solicitations that favor FedRAMP-approved firms, even though there aren’t any yet.

The pace of a review largely will depend on the candidate’s legwork in conforming with up to 300 blanket controls, inspectors predicted.

“It really becomes a question of how prepared the cloud service providers are,” said Todd Coen, vice president of auditor DRC's homeland security solutions division. If a firm is ready to demonstrate compatibility with the safeguards, DRC could compile an assessment packet for the government within two and a half months, he said.

“By the end of summer, early fall, we should definitely start seeing those packages coming,” Coen said.

While cloud providers appear interested in participating, it’s less clear whether all agencies trust the process enough to use it.

“I still think there is a healthy skepticism in the market for cloud in general,” Coen said.

But he noted an interagency panel, the Joint Authorization Board, which signs off on final audited products, includes experts from agencies with high standards, including the Defense Department.

“I don’t think there is anything covert about the fact that they chose folks like DHS and DoD to be the main players on the JAB,” Coen said. “My sense is that if you can get these guys to agree on what would give them the sense that their data would be secure -- that they would want to use these packages. If you can save money when times are very tight, this is a great way to do it.”

Clarification: This story has been updated with newer information and to clarify that internal real-time monitoring is still necessary for cloud service providers seeking government certification.

(Image via SCOTTCHAN /

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.