GSA hands agencies cloud security marching orders

This story has been updated.

The General Services Administration on Tuesday released marching orders for a new cloud certification program.

The 47-page "concept of operations," or CONOPS, is intended to offer federal agencies and their contractors step-by-step instructions for proceeding with the mandatory authorizations that are slated to start in June.

The Federal Risk and Authorization Management Program, or FedRAMP, is envisioned as a sort of factory line for approving a particular Web-based service once so that any agency can almost immediately adopt it. Certain products will get to be the first in line, according to the document. They include "infrastructure as a service" tools that provide remote storage and networking, email, and other common collaboration applications. Government-approved, independent auditors then will evaluate each product's compliance with about 300 controls, such as backup storage requirements.

Tuesday's policy fleshes out the role of the Homeland Security Department in the operation. DHS officials will coordinate recovery in the event of an intrusion and develop standards for real-time monitoring of threats, the concept stated.

Incident response is a sometimes sore spot between government and industry because companies are sensitive about potentially having to disclose nongovernment customer information or breaches that could damage their brand. The guidelines state that FedRAMP and DHS personnel will deal with response efforts on the agency side, for example, by performing forensic analysis to determine the cause and containing the threat. Their findings will not be shared, but rather summarized only for agency cloud customers.

Agencies, cloud suppliers and auditors recently received from GSA a list of standard protections each service must offer, as well as a memo generalizing the responsibilities of each player.

Tuesday's release explains what happens after a product passes muster with an auditor. Homeland Security and FedRAMP program officials will evaluate services deployed at agencies on an ongoing basis to assure the protections are holding up. If a company significantly upgrades a feature, then an outside auditor must reassess the risks.

This contingency has raised concerns among cloud providers, some of whom enhance their services weekly. The operations guidance for the first time illuminates what types of adjustments constitute a material change that requires another inspection: "These changes include, but are not limited to, [the cloud service provider's] point of contact with FedRAMP, changes in the CSP's risk posture, changes to any applications residing on the cloud system, and/or changes to the cloud system infrastructure."

After any audit, the cloud company likely will have to resolve weaknesses highlighted by the evaluator, the memo explained. The company must submit the auditor's assessment and a to-do list that addresses the identified vulnerabilities to the government. An interagency board consisting of security experts from DHS, the Pentagon and GSA then decides whether to accept the product's risk level and authorize the tool -- or send the supplier back to the drawing board.

Companies that make the grade will be listed as authorized governmentwide providers on the FedRAMP program's website, according to GSA officials.

Tuesday's guidelines provide more clarity on real-time threat tracking, or continuous monitoring. Cloud products, like an agency's own in-house systems, will be required to automatically feed DHS updates on security vulnerabilities. In addition, product suppliers annually must hire an auditor to reevaluate select controls so the government has confidence the safeguards are still working.

In 2014, a private accreditation body will take over the job of approving auditors, the policy stated. By that time, the government expects FedRAMP operations will be bolstered by a "self-sustaining funding model." Going forward, the program's budget is uncertain. Right now, it is partly funded through an e-government account covering many online operations that Congress recently increased to $12.4 million, still far below President Obama's $34 million request.