Centralizing Cloud Security

A governmentwide program that provides a centralized approach to security issues in cloud and multiagency IT systems soon will go into pilot.

Peter Mell, a computer scientist at the National Institutes for Standards and Technology and chairman of the interagency Federal Cloud Computing Security Working Group, released details of the program at FOSE, a government information technology trade show held last week in Washington, D.C.

The Federal Risk and Authorization Management Program, or FedRAMP, will establish governmentwide security requirements and ensure compatability on shared systems. It is intended to be an optional service that agencies can take as they move to the cloud.

Mell said that the program could radically change how security is handled in the government.

In the current model, an agency develops a system they like with security requirements they want, assess, authorize and perform the continuous monitoring. Then they want to sell it to other agencies, however there is little oversight or control for the agency consumers...

If this [new] model of relationships works, it will change the way security management works in the federal government. FedRAMP currently works with a joint authorization board and security requirement authorities, then feeding approved measures to private sector providers and government information system owners.

In an interview with GovInfoSecurity, Mell said that the lack of a governmentwide authorization programs for contracted IT services has hindered the adoption of cloud computing. The pilot program might speed up agencies' migration to the cloud.