recommended reading

GSA has yet to approve any cloud products under FedRAMP

Mr. Aesthetics/Shutterstock.com

Up against a self-imposed Dec. 31 deadline, the government’s purchasing arm has yet to endorse any cloud products for quick acquisition. Some applicants and testers say the General Services Administration has been mum about the hoped for announcement on approvals.

Confusion over paperwork has complicated efforts for the Federal Risk and Authorization Management Program, or FedRAMP, according to interviews with cloud vendors and inspectors. FedRAMP, a security evaluation process, is intended to certify services for immediate use in any government agency. Inspections began in June.

Last week, GSA, which runs the program, released rules on the color scheme, placement and permitted uses of the FedRAMP seal of approval. Several auditors said constructive discussions about the contents of their evaluation reports and providers’ security plans have consumed more time than expected.

On Friday, in a written response to a question from Nextgov during a November industry webinar, FedRAMP officials stated, “At this time, no cloud service providers have received a provisional authorization” -- the term for an endorsement allowing governmentwide plug and play. Officials wrote they “anticipate the first authorizations to come at the end of the year/January 2013.”

Separately, GSA officials said they were not in a position to comment for this article.

All the communications have run up costs for GSA, applicants and auditors, those interviewed said. But no one is complaining, they added, because ever since the government first proposed the concept in 2010 all have understood that this is an experiment.

The goal of FedRAMP is to speed the shutdown of costly federal computer rooms and outsource network operations to shared clouds, thereby reducing expenditures and increasing technical flexibility. The Obama administration expects to save about $5 billion annually by shuttering roughly 40 percent of the government’s data centers. By axing duplicative audits, agencies could pocket between 30 percent to 40 percent of their usual testing and procurement expenses.

Talks between testers and cloud vendors, testers and the FedRAMP office, and vendors and prospective agency clients have drawn out this first certification round. In some cases, an assessor might need more detail from a company. Or the cloud provider might request a second evaluation because it modified a product in response to agencies’ changing needs.    

Paul Nguyen, a vice president for FedRAMP auditor Knowledge Consulting Group, said inspectors have had to adjust the amount of information they document for GSA and refine the formatting of reports. “The nuances always come with how people want to see the information,” he said.

Meanwhile, cloud applicants have had to expand their cloud security plans drastically to satisfy the government and auditors, said Tom McAndrew, an executive at Coalfire Federal, another FedRAMP auditor. The hang-ups that cloud companies hit involve mainly book-keeping, not necessarily technical problems, he said.

Plans “go from 80 pages to over 1,000 pages to meet the level of granularity needed for FedRAMP,” McAndrew said.

One administrative issue deals with a list of physical assets, applications, virtual assets and databases that applicants must file. The difficulty is that companies’ data center components and services continuously shift.

“In larger, dynamic environments, there is no finite list and the number of assets changes on a near continuous basis. How do you document an asset list that is dynamic and scalable, and how does an assessor select a sample size that is appropriate?” McAndrew questioned.

Microsoft is experiencing the same accounting challenge. “We added some more data centers, so now that’s added some more assets,” said Susie Adams, Microsoft federal chief technology adviser.

A related predicament: Auditors must fulfill multiple change orders because cloud providers’ equipment and software is evolving in response to what agencies want out of the cloud, McAndrew said. For example, the Pentagon may want military data housed in the European Union, which has unique background check requirements. Meanwhile, civilian U.S.-based agencies may not need those background checks. To meet such demands, the cloud provider alters its product line, which then requires a second security evaluation.

Neither the companies nor GSA have all the answers yet, Adams said. Microsoft expects at least one of its offerings to be accredited by April 2013.  

Aside from time, delays cost everyone money. Most companies are facing assessments that last between 500 and 1,000 hours, at a rate of $100 to $200 per hour, so the tab can total $200,000, according to McAndrew. His company sometimes will absorb the extra expenses associated with paperwork changes, he said.  

GSA is tight on resources for FedRAMP. The program has the capacity to support only 10 to 12 providers, according to those interviewed. Since June, about 80 providers have expressed interest in applying.

Most cloud companies have hired consultants, such as Ernst and Young, to help them through the audits. Those consultants are on the company’s payroll for as long as the process takes, Adams said.

 “FedRAMP will save money over time, but it won’t save money in year one,” McAndrew noted.

Adams added, “It’s just the back and forth nature of getting everyone on the same page.”

(Image via Mr. Aesthetics/Shutterstock.com)

Threatwatch Alert

Network intrusion / Software vulnerability

Hundreds of Thousands of Job Seekers' Information May Have Been Compromised by Hackers

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.