Analysis: FedRAMP's flaws

On Nov. 2, the federal Chief Information Officers Council released a draft of the Federal Risk and Authorization Management Program (FedRAMP), designed to meet the security authorization challenges associated with federal cloud computing. Rather than meeting those challenges, however, the new program has major flaws that will lead to a broad failure to measurably improve security in cloud computing.

As the federal government shifts from reliance on single-purpose servers to cloud computing, it can look forward to gains in productivity and flexibility and substantial cost savings. The main sticking point is security. Will the move to the cloud open new security holes, and how can that be prevented?

FedRAMP is an interagency project led by the National Institute of Standards and Technology, the General Services Administration, and the CIO Council. The final version will be presented to federal information technology managers on Nov. 14. It proposes an "assessment and authorization" methodology to replace the certification and accreditation regime that has been discredited in numerous congressional hearings.

The new program could have provided the opportunity to improve the existing system, by using continuous monitoring, meeting needs in application security, and ensuring the effectiveness of security testing procedures at the cloud site. Instead, it retains the worst flaws of the old regime and ignores proven techniques for rapid low-cost security improvements.

The most damaging flaw in FedRAMP is its lack of attention to application security. When the government uses the cloud, it usually hires two contractors: one to run the infrastructure and a second to manage the application. The approach taken by FedRAMP almost completely ignores the responsibility of the application contractor to ensure that the application is secure and all its components updated and patched. Application attacks have surpassed system-level attacks as the primary vector for cyber exploitation for more than two years.

A second big flaw is FedRAMP's retention of the entire NIST Special Publication 800-53 control structure for low- and medium-impact cloud applications. That control structure overemphasizes controls of little importance and understates the need for continuous monitoring of the 20 critical controls.

A closely related FedRAMP flaw is its misuse of the term "continuous monitoring." That term means testing security controls every day or every two days, because flaws left for longer periods are highly likely to be exploited. Continuous monitoring every day or two is the most powerful security improvement technique agencies have discovered in the recent past, accounting for a 90 percent-plus reduction in risk while requiring less money than was spent on periodic paper reports. Yet FedRAMP calls for quarterly and annual testing and report writing.

FedRAMP is a throwback to the days of contractors producing thousands of three-ring binders full of security reports that have little or no impact on improving federal cybersecurity. Hundreds of millions of dollars were wasted every year for a decade producing those reports. Both Sen. Tom Carper, D-Del., and Federal CIO Vivek Kundra are on record in congressional hearings calling for an end to such practices. Yet FedRAMP institutionalizes that very same process.

The only group that gains from excessive production of paper reports full of out-of-date, low-impact security reporting is federal contractors, which, unfortunately, likely explains the errors in the program design. Many of these same contractors have worried aloud that Kundra's initiative to move to continuous monitoring might deprive them of their financial windfall from producing paper reports.

Continuing the requirement for such reports in the cloud computing assessment process would give the contractors another three to five years of federal largess--but it would be an unwise use of resources and would prevent FedRAMP from being the cutting-edge security mechanism the country needs. Such a scenario can be avoided by changing the draft report to recommend forward-looking and truly continuous monitoring that employs the most modern, low-cost tools available to protect and update the security of cloud computing.

Alan Paller is director of research at the SANS Institute, an information security training organization and partner of Nextgov on cybersecurity events.