FedRAMP: Keeping up with changing cloud security standards

Cloud computing continues to evolve -- and so do the government's security controls.

FedRAMP logo

Just as agencies and vendors are starting to get the knack of complying with the Federal Risk and Authorization Management Program, the General Services Administration is preparing to revise FedRAMP's baseline standards.

GSA solicited public comments last summer on the FedRAMP update and is now revising the standards, which cloud service providers must meet in order to sell to agencies. The changes are based on the revised National Institute of Standards and Technology Special Publication 800-53 released in April 2013. It outlines updated security and privacy controls for federal information systems.

The update to FedRAMP's baseline standards will ensure that the security controls stay relevant as cloud computing evolves, a GSA spokesman said.

The CIOs at GSA, the Defense Department and the Department of Homeland Security, who lead the FedRAMP Joint Authorization Board, have already reviewed the revised baseline. GSA is now waiting for NIST to complete test cases — likely by March — before moving forward with the transition.

Agencies have until June to ensure that all the cloud service providers they use (or with whom they are in contract negotiations) are FedRAMP-approved. The Office of Management and Budget's PortfolioStat program is providing insight into the progress agencies are making toward that goal, the GSA spokesman said.

However, the process is complicated by the fact that agencies are seeking to comply with standards that are still evolving. Kyra Fussell, a senior research analyst at Deltek's GovWin, said agencies and vendors should not be surprised by the revisions.

"Back when FedRAMP launched, the program office explained that changes to the security controls would be driven by [the Federal Information Security Management Act] and other security standard updates," she said. "Since the FedRAMP security controls leveraged several documents from NIST, updates to these documents stand to catalyze revisions to those baseline controls."

Furthermore, agency managers should be aware that FedRAMP certification is not a guarantee of complete security, she added.

"The FedRAMP security baseline is set for the FISMA low to moderate levels, so there are higher levels of security that are not covered by these authorizations," she said. "These assurances may not fully address privacy concerns and other subtleties of data sensitivity. As with any cloud adoption effort, agencies need to understand the information access and management requirements for the data that will be hosted on the system."

'An always-changing environment'

NIST Special Publication 800-53 was first published in 2005. The current version, Revision 4, is the most comprehensive update since the publication was first released, Fussell said. Only two cloud service providers had received FedRAMP approval when that version was in its final draft stage in early 2013.

The update expands the catalog of security controls from 600 to more than 850, increases the focus on secure development and continuous monitoring, and includes guidance for tailoring security to specific requirements, Fussell said.

"Of particular significance for FedRAMP, those additional security controls and enhancements included a number around mobile and cloud computing," she said. "There is no separate catalog for cloud security, however."

Routes to FedRAMP

Cloud service providers have a number of ways to gain approval under the Federal Risk and Authorization Management Program:

An agency can grant an authority to operate to a specific company. That authority applies only to that agency.

The Joint Authorization Board can grant a governmentwide provisional authority to operate, which means any agency can use that cloud vendor.

Cloud service providers can designate whether they wish to be evaluated against a low-sensitivity or a moderate-sensitivity security baseline based on the types of information their systems are meant to handle. High-sensitivity designations are currently not part of FedRAMP.

Source: GSA's "Guide to Understanding FedRAMP"

Although FedRAMP imposes burdens on vendors to achieve and demonstrate compliance, it also aids them in overcoming agency managers' resistance to cloud computing, said Tom Ruff, vice president of Akamai's public-sector business. Akamai earned a provisional authority to operate under FedRAMP in August 2013.

"When the government came up with the cloud-first initiative, they were looking at not only the advantages of cloud but also the inhibitors," he said.

Security has always been a significant hurdle for vendors seeking to convince skeptical agency managers of the benefits of cloud computing. For example, as recently as last spring, when FCW parent company 1105 Media conducted a survey, 73 percent of government IT professionals believed cloud computing introduced new security vulnerabilities, while only 19 percent thought it could improve security.

Once an agency's data is in someone else's hands, managers and CIOs tend to feel they have lost control over it because they have to trust someone else to protect it. By using FedRAMP to ensure that an approved cloud vendor meets the same security requirements established by FISMA and articulated by NIST, much of that resistance can be overcome, Ruff said.

With that in mind, changes like the ones underway now are to be expected, he said. "As you try to address security in any environment, it's not a set-and-forget type of environment," he said. "Security…is an always-changing environment."

The costs of certification

However, although compliance comes with rewards, the resources involved are not trivial, Fussell said. Vendors must pay the cost involved in completing the assessments with no guarantee of securing repeat business — or indeed any business at all.

"It's a cost that some vendors, particularly small businesses, need to evaluate carefully," she said.

There is another wrinkle: Companies seeking authorization must find a third-party assessment organization (3PAO) to evaluate their compliance with FedRAMP standards. That business relationship needs to be considered strategically, she said.

"The FedRAMP office certifies these assessment organizations, but they do not prescribe one to use," she said. "While this allows vendors to change assessors as warranted, it means industry is responsible for forming those partnerships. There is also some speculation among vendors about strategic differences between agency-sponsored authorizations and those issued by the FedRAMP [Joint Authorization Board]. Namely, does one better position them for competition?"

Although there are no set costs, Ruff confirmed that the process is not cheap — and it is not quick either.

"It took us 13 months," he said. "It took us man-years of effort and the investment of hiring a 3PAO. Our investment was in the seven-digit investment area. I know there are other solutions out there with [Joint Authorization Board] approval that have put in significantly more money."

Fortunately for cloud service providers, the forthcoming baseline update will not require those that have already earned a provisional authority to operate to undergo the entire assessment process again. Instead, they will have one year to implement and test the new controls as part of their continuous monitoring effort. Providers that are in the process of gaining approval will have a deadline by which they must comply with the new standards.

That approach is in keeping with the general thrust of FedRAMP, Fussell said. "The aim of FedRAMP to shift from a one-off compliance process to ongoing security assurance highlights requirements for ongoing assessment and authorization," she said. "Completing a system assessment and receiving provisional authorization isn't the end of this process."