FedRAMP—Securing the Cloud Data Center Federal Style
Do cloud computing services make sense for the US government? Are these services secure enough to meet the exacting standards of federal agencies and the Pentagon?
You might be surprised to find that not only does the federal government use cloud services of all types, but it actively encourages all government bodies to adopt cloud IT services through the development of National Institute of Standards and Technology (NIST) Cloud Computing Standards, first published in 2010 and revised in November 2011.
In its continuing support of widespread federal cloud adoption, the US General Services Administration (GSA) recently rolled out a security certification program, called the Federal Risk and Authorization Management Program (FedRAMP), for public cloud data centers and service providers.
First announced in May 2012, FedRAMP rolled out officially the following November. It has the support and governance of an impressive array of agencies.
Like some of the other recent cloud data center certifications, Cloud Security Alliance Security, Trust & Assurance Registry (STAR) and Open Data Center Alliance Provider Security Assurance programs, FedRAMP is designed to allow cloud data center providers to certify that their environments meet the stringent security requirements demanded by the US federal government and other regulatory entities.
The program is the result of close collaboration with cyber security and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council, and private industry. The GSA is sponsoring the program, which allows for standardized security assessment, authorization, and continuous monitoring of cloud products and services that will be used by and for federal agencies.
Getting certified requires a three-step process:
Step 1: Provider implements the FedRAMP security requirements based on the published documentation.
Step 2: Provider hires a FedRAMP approved third-party assessment organization to perform an independent assessment of their environment and process documentation.
Step 3: The FedRAMP Joint Authorization Board reviews the security assessment package to determine status.
Some of FedRAMP’s stated goals and benefits include:
- Accelerating adoption of secure cloud solutions
- Increasing confidence in cloud security by improving real-time security visibility and providing a uniform approach to risk-based management
- Achieving consistent security authorizations using a baseline standard and increasing the re-use of existing security assessments across agencies
- Ensure consistent application of existing security practices
- Saving significant cost, time, and resources—"do once, use many times"
- Enhancing transparency between government and cloud service providers
To date, two companies—Autonomic Resources LLC and CGI Federal, both Infrastructure as a Service (IaaS) vendors—have completed the certification process with twelve more companies in the pipeline for completion by end of first quarter 2013.
For companies doing business with the US federal government, this is exciting news. For US citizens, who are concerned with privacy and the protection of government security but are looking for a more efficient government, this is truly a much needed and welcomed new program.