Agencies, contractors get rules of the road for cloud security approvals

By summertime, departments will begin using a one-size-fits-all model for certifying that hardware and software accessed over the Web is protected.

Federal cloud providers by June 2012 will have to comply with new uniform security controls so that multiple agencies can piggyback off the certifications for faster installation, White House officials announced Thursday.

To more quickly slice $5 billion from the government's annual $80 billion information technology tab, the Obama administration has released requirements for expediting cloud security approvals. Protecting data in the cloud -- or remote storage and software accessible online -- has been a stumbling block for some federal managers, officials said. The Federal Risk Authorization Management Program (FedRAMP) is a process aimed at guaranteeing a vendor's goods adhere to baseline controls so that any agency can immediately deploy the services, without reassessing the product's safety.

Recycling accreditations is expected to save the government 30 percent to 40 percent in testing and procurement costs, federal Chief Information Officer Steven VanRoekel said. "Cloud computing has become an integral part of the government's DNA," he told reporters. "One of the main challenges that people have identified is around security and using security as a barrier to entry around cloud computing."

By early January, the government's Chief Information Officers Council will publish the standard controls, according to the memorandum. The General Services Administration, charged with FedRAMP program management, will issue instructions for agencies on how to navigate through the process. Within six months, the program will begin initial operations.

All agencies will be expected to use FedRAMP before buying cloud services, and vendors will be contractually bound to comply with its standards, officials said. Independent auditors will gauge each product's compliance.

If FedRAMP cannot meet an agency's cloud security needs, then the agency must report to the White House the reasons why for each service and include alternative approaches, the regulations state.

The Obama administration will create a secure online repository for agencies to share boilerplate contract language on products that already have gone through the FedRAMP process, according to the memo.

On Thursday, officials said agencies during the past year have shifted to the cloud 40 IT services, such as email and collaboration software, and identified 79 more services to transfer by June. Much of the cost savings from the moves are anticipated to come indirectly from abandoning existing in-house systems and real estate. Fifty systems have been retired during the past year, VanRoekel said.

The verdict on the real cost-efficiency of the cloud is still out. More than half of private sector users saved little or no money after switching to the cloud, according to a new study by technology contractor CSC, and only 14 percent actually downsized their IT shops after moving.

Most national security systems, some of which are classified, are exempt from the program.

While the directive reflects consensus among key agencies and vendors, the rules could change in the future to resolve concerns, VanRoekel said.

"This is a first step," he said. "We're going to continue to get feedback and continue to evolve." No cloud suppliers have been certified yet, officials said.

David McClure, GSA administrator for Citizen Services and Innovative Technologies, added, "We're designed to be troubleshooters and make the process work and we're really looking forward to ramping up."

Industry groups welcomed the seemingly easier inspection procedures, which they said address most concerns about draft FedRAMP provisions released a year ago.

David LeDuc, public policy director at The Software and Information Industry Association, said, "In the big picture, we're pretty excited that the administration is really making progress on their commitment to cloud adoption." Association officials said the administration largely resolved criticisms that the proposed controls were too prescriptive.

It remains unclear how the government will handle the issue of monitoring software updates. The draft required cloud providers to reassess controls each time they upgrade software, which happens weekly at some firms. Thursday's memo calls for GSA and other program overseers to write instructions on how companies are to continuously review configurations within the FedRAMP framework.

Trade group TechAmerica also praised the White House's effort to jumpstart cloud implementations. Attention should now turn to securing funding, the group said. Part of FedRAMP currently is funded through an e-government account covering many online operations that Congress recently decreased to $8 million, rejecting the president's $34 million request. "I think it's an important program that deserves a line item," said Jennifer A. Kerber, TechAmerica vice president for federal and homeland security policy.

Administration officials plan for FedRAMP to be in full swing by late 2012.

Some former government officials offered cautious optimism about the timeline for rollout, pointing out it took the administration 12 months to nail down just the basic guidelines.

"What they've defined is a governance structure which is what I think they need to do," said John Gilligan, who served as CIO for the Energy Department and Air Force. "The concern is that the processes really need to be fine-tuned. The concern is that this really turns into a massive bureaucracy."

Earlier in the day, McClure acknowledged there are outstanding concerns and reiterated that FedRAMP will continue to evolve.