FedRAMP high is coming soon

The next few months will be busy for the Federal Risk and Authorization Management Program as it launches its high baseline standards, issues new requirements for third-party assessment organizations and spreads the cloud security gospel, FedRAMP Director Matt Goodrich said at the Advanced Technology Academic Research Center's cloud summit on Jan. 13.

More than a year in the making, "FedRAMP high" has been subject to public comment from various stakeholders. With no major changes proposed to the latest draft, the high-security baseline should be published in its final form by February or March, Goodrich said, with requirements for third-party assessment organizations coming at the end of February.

Goodrich stressed the importance of working closely with agencies on the new baseline. FedRAMP's "agency evangelist" Ashley Mahan will embark on an agency-by-agency tour in the coming months to ensure that the program is working and that every agency has a dedicated FedRAMP person. Officials will also be seeking "customer journey" stories from agencies.

In addition, they will try to procure an automated review process by partnering with another General Services Administration outfit, 18F. And Goodrich said he plans to use 18F's micro-purchase reverse auctions to solicit Python developers for the project.

The future of cloud

Agriculture Department CIO Jonathan Alboum was one of many agency leaders who talked about trust in the cloud at the ATARC event.

"I wouldn't say that we're a cloud broker yet," he said, explaining the dual cloud adviser/provider role USDA is trying to embrace for its agencies. "That's the direction that we have to go."

Part of the advisory role will involve promoting trust.

"The real challenge for us is being able to keep up," he said of USDA's homegrown cloud operation, noting that companies such as Amazon and Google dwarf USDA's research and development spending. "It's going to be very difficult for an organization like ours to ever keep up."

Such imbalances motivate Air Force CTO Frank Konieczny to eschew USDA's approach.

"We're kind of different," Konieczny said. "We want to get out of the business. We don't want to manage anything." He added that he'd rather buy private-sector expertise than devote scarce personnel to cloud problems.

Other participants called for contracting changes.

"If you have to pay for everything in advance before you use it, it's pretty much impossible to take advantage of [cloud's dynamic potential]," said International Trade Administration CIO Joe Paiva, who advocated having agencies buy cloud services through bigger contracts.

In a post-event discussion with FCW, two USDA officials pointed to GSA's recent Salesforce.com blanket purchase agreement as a promising example of such a contract.

Paiva also touted the potential security of the cloud.

"Every time we get breached, it's like 'Groundhog Day,'" Paiva said. Attackers send infected email messages to gain initial entry, hang around to nab administrative credentials and then move laterally through a network. "Using two-factor authentication doesn't fix that. Virtualizing the environment doesn't fix that."

The real fix is having everything in the cloud. "If you have no network, no one can move laterally in your network," Paiva said.

He also issued a call for agencies to stop creating their own tools and instead rely on well-designed, off-the-shelf offerings.

"He's trying to pick a fight with me," U.S. Citizenship and Immigration Services CIO Mark Schwartz said. "The problem is your [software-as-a-service] application is not going to exactly meet your needs, and you're going to customize it." That customization, he argued, can introduce more security flaws than would have existed in applications that were custom-coded from the start.