FedRAMP service expects to meet vendors' demand for cloud certifications by late 2012

Agencies this fall will be able to pick from a small menu of precertified cloud services, but most products will not be covered by a new security program intended to cut down the cost and time of accrediting technologies until 2012, General Services Administration officials told House members Thursday.

FedRAMP, a product approval program tailored to the cloud, is part of a major governmentwide switch from using in-house, notoriously budget-busting information technology systems to accessing IT services through the Internet, or the cloud.

To speed procurements, FedRAMP would task independent auditors with verifying that a vendor's product meets a governmentwide baseline set of security controls so that any agency can immediately deploy the technology.

The government, in turn, is expected to pocket the millions of dollars agencies currently waste running redundant tests on similar IT products. In the past, departments have spent $300 million on certification and accreditation activities a year, according to the Office of Management and Budget.

But the Obama administration has not finalized criteria for selecting the auditors. The initial rollout of FedRAMP will be limited in scope, covering a relatively small number of cloud providers, testified David McClure, associate administrator of GSA's Office of Citizen Services and Innovative Technologies, before the Homeland Security Department's Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.

Full operations will start next spring, when the program will have the resources to review more applicants. In late 2012, McClure expects the supply of accredited auditors to meet the demand for reviews.

OMB should be releasing a final memorandum explaining the program "shortly" said McClure, who last fall issued a draft FedRAMP policy that detailed proposed blanket standards.

Industry groups expect FedRAMP will be more appropriate for "public cloud" nonsensitive data services that are shared with other agencies and companies, as opposed to private cloud systems used by a single agency.

CGI Federal, a unit of Canada-based CGI, late last month announced that Homeland Security had awarded it a $1.8 million contract to consolidate all its public websites in a public cloud.

Committee members raised concerns about government information being handled by a firm whose parent company is located in a country that has different privacy laws.

Homeland Security Chief Information Officer Richard Spires said CGI Federal's bid for the project meets all federal security and privacy standards. "The hosting will be done in two geographic diverse data centers that are both in the United States," he said and later agreed with a member's request to supply the committee with a copy of the task order.

Some businesses are skeptical that FedRAMP will seamlessly generate a slate of one-size-fits-all offerings. Many agencies will want to individually tweak the security levels of the common offerings, David LeDuc, senior director of public policy at the Software and Information Industry Association, whose members are cloud providers, said in an interview.

"We think it's a good idea but [we] are waiting to see how it plays out . . . It's a big challenge," he said. "I sometimes wonder how effective FedRAMP can be."