Cloud computing's success hinges on rapid certification

The FedRAMP accreditation program aims to quickly approve security controls of Web-based services.

Under pressure to save $5 billion annually by outsourcing computer applications, the federal government is banking on a high-speed certification program for obtaining cloud services.

The Federal Risk and Authorization Management Program, also known as FedRAMP, is aimed at zipping agencies and their contractors through the time-intensive security accreditation process. Initial launch is on the June calendar and the goal is to be at full operational capacity by the end of 2012. The financial stakes are high--White House officials estimate agencies could save 30 percent to 40 percent in testing and procurement costs through FedRAMP.

But patience may be required to see FedRAMP take off, its supporters say. Although agencies are required to participate, they can seek an exemption from the White House if FedRAMP doesn't meet their security needs. And more cautious agencies may layer on extra specifications.

The program's concept centers on having independent auditors verify a tool's compliance with a blanket set of controls, once, so that tool is then eligible for installation throughout the federal government.

"We're looking at a couple-year effort to get this to where agencies see the true benefit," says Susie Adams, the chief technology officer for Microsoft Federal. Dean Weber, chief technology officer for CSC Cybersecurity, says, "it remains to be seen if the process is applicable for each agency's needs, or if they may need to customize the process. It is definitely going to be a crawl, walk, run exercise."

But enthusiasts, including Microsoft and CSC, note that preparations are on schedule and, even if there's no immediate governmentwide embrace, the effort will hasten the shift to Web-based computing.

"At least now there's a standard," says Tom McAndrew, an executive vice president at information technology compliance firm Coalfire. "No one likes going through certification and accreditation."

Vendors already have been given the universal security controls. The General Services Administration, which manages the program, plans to arm agencies with reusable contract templates soon. Companies will know what is expected of them before they even develop a product, officials say.

David Mihalchik, who leads Google's federal business development and sales operation, says, "in terms of the fundamentals of this program, we now have something from GSA that will expedite deployment." Mihalchik adds that "FedRAMP is a clear signal that cloud computing has become mainstream in the federal government."

But it doesn't quite exist yet. No auditors have been approved. After more than a year of interagency vetting, GSA just finalized roughly 300 controls and "enhancements," which are supplemental capabilities and stronger protections. And no instructions are out yet for "continuous monitoring" of threats to government information and networks, although the Homeland Security Department is aiming to distribute those before June.

Another stumbling block: GSA wants the audits to be accessible to all departments through a central online clearinghouse. But a repository of government vulnerability reports would be the ultimate prize for America's adversaries. "If that data is breached then you know all the weaknesses of the entire federal cloud," McAndrew says--something GSA officials understand. "It's largely going to be a paper-based process at the beginning because we won't have the bandwidth up in time," GSA Associate Administrator Dave McClure says.

Defining Security Controls

The National Institute of Standards and Technology spent years carefully refining the definition of "cloud computing" to provide agencies and companies with a mutual understanding upon which to build a new technology market. Now, the contracting community and government must clarify the jargony controls, or security requirements, that even GSA is still decoding. The rules address smartphone access and backup options, among many other issues.

"What they've defined is a governance structure, which is what I think they need to do," says John Gilligan, a former chief information officer for the Energy Department and U.S. Air Force. "The concern is that the processes reallyneed to be fine-tuned. The concern is that this really turns into a massive bureaucracy." Gilligan, now a private consultant, suggests that GSA keep FedRAMP malleable enough to adjust to lessons learned. Recognizing the need to stay flexible, the agency recently told vendors that, as the program matures, federal officials may revise the rules, contract templates and supporting instructions.

Some of the murky items that vendors say could have huge implications involve encryption. The somewhat ambiguous expectations include, for example: "The organization supports the capability to use cryptographic mechanisms to protect information at rest" and "the service provider must implement a hardened or alarmed carrier protective distribution system when transmission confidentiality cannot be achieved through cryptographic mechanisms."

IBM officials say the controls aren't perfect. "If I were to pick the controls up and give them to a commercial provider so that they could implement them in the private space, it would take a considerable amount of translation and interpretation. I was hoping for a set of security controls that didn't have as much government terminology in them," says Andras Szakal, chief technology officer at IBM U.S. Federal. Still, he says, "at the end of the day, it's good that they're providing transparency" into the new purchasing protocols.

GSA officials anticipate showing vendors the contract boilerplate before startup in June. "These are things that many cloud service providers don't get until they sign a contract," says FedRAMP Program Manager Matthew Goodrich. "We're trying to make as much known beforehand so you know what you're getting into."

One of the beauties of the cloud is vendors can enhance services on the fly or as improvements in technology become available. But for the government, each time a vendor updates a system, traditionally, security must be rechecked. "You can add a new feature, and that could add a new vulnerability," says Chris Wysopal, co-founder and chief technology officer at computer security firm Veracode. "There may need to be almost a continuous assessment." Certain parts of a provider's operating environment may have to be audited more frequently, he expects.

Going through a reassessment for every upgrade, however, could be counterproductive. "What constitutes a change that is large enough to warrant an update to an existing security plan or an entire reassessment? Right now it is very murky. I do think they need to lock down what constitutes a material change and what doesn't. I think it is a challenge," Microsoft's Adams says. GSA officials on Feb. 7 described some adjustments that may require reassessment but gave agencies a lot of wiggle room to do their own thing: "These changes include, but are not limited to, [the cloud service provider's] point of contact with FedRAMP, changes in the CSP's risk posture, changes to any applications residing on the cloud system, and/or changes to the cloud system infrastructure."

GSA officials say there never will be a full compendium of what indicates a significant change. Typically, the agency's chief information officer will weigh the riskiness of a modification and determine if it merits an entire recertification, an update to the authorization or no review at all.

Federal officials also are still learning the ropes for real-time surveillance of threats in the cloud. Currently, IT managers are expected to report on antivirus updates, remote logins and other network vulnerabilities by pulling live data feeds from all devices into a central Homeland Security inbox called CyberScope. That maneuvering might be tricky in an environment where federal IT managers have little say.

But, as GSA announced in February, the cloud provider's data centers will be required to automatically transmit to DHS certain stats. "The government is going to have to establish what is good enough for continuous monitoring," CSC's Weber says.

And then there remains the task of hiring an army of compliance auditors to meet vendors' demands for product certification. The government in January closed the application period for getting on an initial list of inspectors. Officials then immediately began accepting forms from more hopefuls on a rolling basis. The first batch of approved assessors will be named in mid-April, GSA officials say. Based on the more than 100 individuals who identified themselves as employees for prospective auditing companies at a December 2011 industry briefing, there seems to be great interest in the role.

Funding Uncertainty

The budget for sustaining FedRAMP is another unknown. Part of the program currently is funded through an e-government account covering many online operations that Congress recently increased to $12.4 million, still far below the president's $34 million request. "I think it's an important program that deserves a line item," says Jennifer A. Kerber, president of research group Tech America Foundation. GSA officials expect the cost of FedRAMP operations will be covered by a "self-sustaining funding model" in 2014.

Initially, government funds will be used to judge candidates for the assessor jobs, but the plan is to hand that cost over to a private sector accreditation body in two years. Some cloud suppliers predict a backlog of applicants because the government doesn't have enough funding or resources to evaluate all assessors at once. GSA officials maintain there is solid support for FedRAMP's continuation. The government "will be able to review all applications as expeditiously as possible," they said in a statement, adding that the program office will "give applicants clear expectations about review time once the applications review process begins."

Engendering trust in FedRAMP is contingent in part on the objectivity of the auditors, most of whom will be paid by the suppliers they audit. Agencies can opt to cover the cost, but usually these kinds of assessments are on the contractor's dime. Conflicts of interest could be hard to avoid, vendors say, because the potential inspectors currently work with many cloud providers on other IT projects. "How does the provider paying the auditor to do the work actually provide that arm's-length separation?" Weber says.

In addition, some firms vying to serve as suppliers have auditing divisions. "You can't audit your own cloud," says McAndrew, who also serves as the Seattle chapter president of the global IT professional organization Information Systems Audit and Control Association. "Your judgment is impaired."

To address the potential biases, GSA officials say applicants must demonstrate that the performance of their other business lines, including cloud services, has no bearing on the pay of their audit staff. NIST-developed criteria for ensuring this independence will be rigorous, particularly for companies attempting to participate on both sides of the ramp as providers and auditors. The accounting industry has been able to achieve impartiality through a similar segregation of responsibilities. GSA officials add that the FedRAMP auditor accreditation process will be more demanding than the current method of sanctioning third-party auditors.

So far, government and industry have been working out uncertainties both in the cloud and on the ground. GSA maintains a regularly updated website with FAQs and presentations. GSA officials also spent considerable time with vendors at group meetings before and after issuing the final FedRAMP procedures.

Everyone seems to agree that program officials are aggressively moving forward to make FedRAMP a reality. If they do so then the government just might create a worldwide market for cloud security systems. The standards and certifications the program would produce eventually could be transferable to private sector clients, contractors note. Providers on their own accord could repackage the government endorsements to show corporate customers a product's security posture, GSA officials say.

There is precedent. The Federal Information Processing Standards, or FIPS, took about a decade to journey from a government information security specification to a global standard, CSC officials point out. State and local governments already want to be able to leverage the documentation, according to Microsoft officials. Cloud companies usually have to obtain permission from their federal customers before sharing any risk assessments externally.

Officials are aware of the high expectations and doubts.

"We're not locking this down in cement and saying, 'We've considered everything. Sorry,' " GSA's McClure says. "If we can't sell this consistency and trust on a business case, then we're doing the wrong thing to begin with."

This story originally said agencies sought to save $5 billion annually by 2015 through outsourcing IT applications. There is no such deadline for meeting that savings goal, according to OMB. The story has been corrected.

NEXT STORY: Cloud Computing

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.