GSA fast tracks requirements for FedRAMP

The General Services Administration is in the final stages of shoring up the requirements for a governmentwide program to certify and accredit cloud computing products and services.

Katie Lewin, GSA’s cloud computing program manager in the Office of Chief Information Officer, said the agency will issue Version 2 of the Federal Risk and Authorization Management Program (FedRAMP) requirements by the end of August or early September, as reported by Federal News Radio’s Jason Miller.

The GSA, Defense and Homeland Security are reviewing public- and private-sector comments on Version 1 of the requirements, Lewin said during a presentation at the Information Security and Privacy Advisory Board (ISPAB) meeting in Washington, D.C.

Version 2 of the FedRAMP requirements will include security controls detailed in the National Institute of Standards and Technology's Special Publication 800-53R as well as enhancements.

GSA will list the FEDRAMP requirements on www.info.apps.gov and www.cio.go.

Related coverage:

Governmentwide security certification could bolster cloud, report says

“Looks like they are moving along fairly aggressively, at this point, which is encouraging,” David Linthicum, chief technology officer of consulting firm Blue Mountain Labs, said in an interview with Government Computer News.

A governmentwide certification and accreditation process for securing cloud computing infrastructures could accelerate adoption of the computing model among agencies, said Kevin Paschuck, vice president of public sector with RighNow, a provider of cloud computing services to the government.

“This will remove that hesitation that still remains across the federal government on the cloud," Paschuck said.

Cloud computing provides on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Announced in May, FedRAMP is an interagency effort whose aim is to reduce duplicate efforts and security compliance expenditures, as well as encourage rapid acquisition time frames, security oversight, and consistent integration with federal governmentwide security efforts.

FedRAMP, a key part of the Obama administration’s cloud computing initiative, also will provide security authorizations and continuous monitoring of shared systems.

FedRAMP will let vendors and agencies certify and accredit a system at the low or moderate level, so other agencies can implement it without having to go through a three- to six-month certification and accreditation process.

The low level pertains to information that agencies make available to the public, while the moderate level deals with critical business applications such as financial management and human resource systems, Paschuck said.

For example, RightNow, which has built its data centers at the moderate level, stores Air Force financial data in the company’s cloud infrastructure – sensitive but not classified information, he said.

The government is publishing guidelines with the FedRAMP requirements. The next step is to take these guidelines and make them policy, putting them into procurements, Paschuck said. So when an agency puts out a request for proposals for cloud computing, the RFP will state that cloud providers need to meet specific security standards. Agencies will also be able to stipulate data rights and the need for auditing of the cloud.

Agencies should expect to submit products and services to FedRAMP beginning Oct. 1, with the first approvals coming between January and March 2011.