FedRAMP comes fraught with challenges

The process of standardizing and implementing security controls for federal cloud services doesn’t come without hiccups, and the only way for agencies to move forward is through a “quick learning, slow implementation” approach, said an official in the General Services Administration.

Although there’s little contention about the merits of the Federal Risk and Authorization Management Program, its “do once, share many times” approach is fraught with challenges, particularly in the areas of culture and existing security requirements, said David McClure, associate administrator in GSA’s Office of Citizen Services and Innovative Technologies.

With the development and rollout of FedRAMP, “we’re not creating a single Cinderella shoe here that fits everything,” said McClure, who moderated an April 13 breakfast panel organized by the Association for Federal Information Resources Management. “There continues to be, and has to be, an evolutionary and intelligent view on how we approach security.”

FedRAMP is a joint effort between cybersecurity and cloud experts from agencies such as GSA, departments of Homeland Security and Defense, the Office of Management and Budget, the Federal CIO Council, as well as the commercial sector. The program’s governing body, the Joint Authorization Board, provides authorization review as well as technical expertise to address agencies’ security needs.

The JAB is also expected to give that “extra push, extra authoritative review that really digs into this critical work and component of FedRAMP called leveraging,” McClure said.

“If we leverage the work of each of our agencies, we win,” he said. “We win big-time, because we will not spend as much money, and we’ll be able to do this much faster.”

But the largest cost savings won't come from standardizing controls for cloud-based services but from leveraging commodity IT, said Richard Spires, CIO at the Homeland Security department. A key reason the government trudges behind industry in leveraging commodity IT is the existence of security mechanisms that makes it hard to take advantage of cloud services, said Spires, who also sits on the JAB.

“There’s real hesitancy on the part of the government to move forward without the right security controls,” he said. “It will take another couple of years to get [FedRAMP] rolling, but it will really break down the barriers so that the federal government can leverage cloud-based services, both for private clouds as well as public clouds and hybrids to the same degree you start seeing them in the private sector.”

McClure acknowledged that the path toward full FedRAMP operational status in 2014 won’t be without roadblocks. ”We all know that; we know that throughout government security officers will have varying interpretations of what controls are acceptable and whether you can leverage a total package or not,” he said. “We know that we’ll have to demonstrate the foundational element of solid evaluation, high degree of trust, and the ability to leverage."