White House considers relaxing cloud security requirements

Obama administration officials are considering relaxing some security requirements for cloud computing certification to expedite deployments, after the software industry raised concerns about impractical, one-size-fits-all controls, federal officials said.

The goal of the initiative, called the Federal Risk and Authorization Management Program (FedRAMP), is to provide departments with standard procedures for reviewing safeguards in Web-accessible information technology used by multiple agencies. Federal officials expect to get the program off the ground by this summer.

"If they take it in the right direction, [a summer launch] sounds about right," David LeDuc, public policy director at The Software and Information Industry Association, told Nextgov. "I think this is a remarkable effort. I think that's an aggressive goal, but I also think it's achievable."

In November 2010, the General Services Administration, in conjunction with the Office of Management and Budget and the Chief Information Officers Council, released a draft of the blanket procedures to gather comment from contractors. Federal CIO Vivek Kundra then extended the deadline for responses from Dec. 2, 2010, to Jan. 17, 2011, explaining at the time that the development of FedRAMP is critical to the future of federal cybersecurity.

But SIIA has rejected certain FedRAMP requirements that it says threaten to slow cloud computing implementations. A new OMB cloud-first policy calls for every agency to identify three "must move" services and migrate them to the cloud within 18 months.

While the industry praises the cloud-first policy and FedRAMP's concept of "certify once and use often," association officials said the controls the current specifications require could prevent vendors from being able to move agency computing operations to the cloud by the deadline.

In its Jan. 17 comments, SIIA argued, "[The] proposed controls are, in many cases, overly prescriptive and not sufficiently vendor neutral, nor do they effectively differentiate between the three basic cloud functions" for infrastructure, databases and applications.

GSA now is examining a recommendation by SIIA leaders that the required safeguards be specific to desired security levels.

"We are working collaboratively with government and industry experts to explore the potential merits of moving toward a performance-based security assessment process, especially for technical security controls," GSA spokeswoman Sara Merriam said on Thursday. "The FedRAMP requirements must facilitate the trust required between agencies and industry to work toward proactive cloud computing adoption in support of the administration's cloud-first policy."

Cloud computing is a means of outsourcing software, server, storage and other IT needs to Web services companies. The idea is that paying for online access to IT on a subscription basis, rather than maintaining systems in-house, will save the government money.

GSA officials also said they are open to requiring fewer security assessments for smaller cloud contracts and decreasing the number of controls that would be subject to such monitoring. Under the proposed FedRAMP, vendors would have to conduct a security review every time they upgrade their software.

Cloud companies, unlike traditional software firms, modify their products and services many times a year, SIIA officials said. The additional cost to comply with this kind of continuous monitoring could make it difficult for vendors to justify doing business with the government, the association's comments stated. The industry recommended assessing fewer controls and requiring such analyses only for major federal contracts.

Both suggestions are under consideration, according to GSA officials. "We are evaluating how automation can be used in conjunction with continuous monitoring and doing so in a way that does not increase the burden on cloud computing service providers," Merriam said.

One common fear regarding cloud computing that has slowed adoption is maintaining data remotely, on networks and databases shared by many other subscribers, might increase the chances data will be lost, or compromised. Moreover, the WikiLeaks mess, in which a soldier allegedly downloaded mounds of classified and confidential federal files onto a music CD, has renewed agencies' focus on ensuring all sensitive government data remains encrypted, or translated into secret code.

The draft FedRAMP rules stipulate that all sensitive data, whether in-transit or stored in the cloud, must be encrypted. SIIA officials argued that cryptography controls should apply only to data in transit.

"It's not highly efficient to have it encrypted wherever it is," LeDuc said. "If it's effectively stored, it doesn't need to be encrypted."

Some security experts disagree. Roy E. Hadley, co-leader of the cloud computing and cybersecurity practice at law firm Barnes & Thornburg LLP, said, "The safest bet is to protect the data itself and not worry so much about where it's transported and where it's stored."

When asked if GSA is open to exempting data stored in the cloud from the coding rules, Merriam said, "The encryption of data at rest is a mandatory requirement for all sensitive data. We have received and are evaluating comments regarding data encryption requirements."

She said the administration's target start date for FedRAMP is still summer 2011, but federal officials have not finished assessing the public comments so "time frames could be affected depending on follow-up decisions reached."