White House launches cloud computing security standards

December 8, 2011 Off By David

Grazed from Washington Business Journal.  Author: Jill R. Aitoro.
 

After two years of development, the Office of Management and Budget officially launched a program Thursday that establishes uniform security requirements that contractors will have to meet to sell their cloud solutions to the federal government.

Federal Chief Information Officer Steven VanRoekel sent a memo to all agency CIOs requiring that they use the Federal Risk and Authorization Management Program when purchasing cloud services. FedRAMP, as it’s known, establishes a set of approved, minimum security controls that cloud services will have to meet, as well as an assessment process for authorizing these services under the program…

"FedRAMP introduces an innovative policy approach to develop trusted relationships between agencies and providers," said VanRoekel during a Thursday media call on the launch. "Federal government spends hundreds of millions of dollars securing [these] IT systems; much [of that] is duplicative, inconsistent and time consuming." FedRAMP, he estimated, could produce 30-40 percent in cost savings from the process of securing these cloud solutions.

According to the memo, agencies are to use FedRAMP when procuring "commercial and non-commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies, including systems provided or managed by other departments or agencies, contractors, or other sources."

A joint authorization board of the Defense and Homeland Security departments and the General Services Administration will define and update the security authorization requirements on an ongoing basis, and approve accreditation criteria for third-party organizations that will provide independent assessments of cloud service providers’ compliance with FedRAMP security requirements.

"Industry solutions will be evaluated against the baseline set of controls, we expect by the third-party assessment organizations," said Dave McClure, GSA’s associate administrator of citizen services and innovative technologies, who was also on the media call. "We don’t want to create a bottleneck by assuming everything can come through FedRamp [directly]. We want these assessments done well, so industry will then find their products and services" can be authorized under FedRAMP more quickly and easily for use by federal agencies.

The board will provide agencies with standard language about the requirements to include in contract solicitations, and will soon issue a separate guidance for contractors that details how they will get their cloud products or services authorized under the FedRAMP process, McClure said.

"I wouldn’t say every industry concern is addressed," he added. "But this is an evolving and iterative program. We have to test, learn and optimize as we go along."

Since the White House revealed its "cloud first strategy" in February, which instructed agencies to consider cloud computing for its IT implementations, agencies have migrated 40 services to the cloud and identified 79 services that will be migrated by June 2012.

"Not only are we saving money, we’re also eliminating legacy systems — over 50 in the last year," VanRoekel said. "We’re introducing new levels of security, reliability and in many cases new functionality into agencies."