US Wants Private Sector to Secure Government Cloud

The U.S. government has some unique — and exacting — security requirements related to the adoption of cloud technology. These internal government security hurdles have resulted in significant outreach to expertise from commercial information technology companies.

The latest example is an invitation from the General Services Administration to the private sector to take over a critical element in the security certification of federal cloud deployments.

The government established a central security process so that each agency would not have to develop its own cloud security protocol. The result was a “create-once, use often” platform known as the Federal Risk and Authorization Management Program (FedRAMP,) that was initiated in December 2011.

In the certification process, once a cloud service provider meets a first-level screening standard for its system security plan, the provider must then undergo a performance test and audit conducted by a third-party assessment organization (3PAO) selected and accredited by GSA.

That agency, however, now wants to privatize the third-party audit process and get the government out of that part of the program.

Private Scenario From the Start

“Since FedRAMP launched, the 3PAO program has stated that the accreditation function would be privatized. In fact, the privatization of accreditation is specifically called for in the original FedRAMP concept of operations,” Kathy Conrad, principal deputy associate administrator with GSA’s Office of Citizen Services and Innovative Technologies told the E-Commerce Times.

The accreditation process was intended to move to a board managed by private sector organizations, according to Conrad. The privatized board will be responsible for assessment and accreditation of 3PAOs using standards and guidance from the FedRAMP office.

The use of an outside mechanism is part of an independent, peer group procedure for securing federal cloud deployments. Conrad noted that the process is similar to one used by the Department of Health and Human Services for ensuring secure electronic health records. That process eventually moved to the American National Standards Institute (ANSI).

GSA is seeking comment from the IT community — both public and private — on the privatization initiative by March 5, 2013.

The privatization option is preferred for several reasons, Conrad said. “First, it transitions a function that is not inherently governmental back to the private sector, freeing valuable resources. It is expected that privatization will further develop the marketplace of qualified, technically competent independent assessors available to help cloud service providers meet and comply with the FedRAMP requirements. Also, it develops a sustainable model so that the standards for technical competency and independence can be re-evaluated and tested on a more regular basis.”

Keep the Feedback Coming

The privatization of the auditing and performance process is consistent with GSA’s policy for seeking feedback from the private sector. “Continuous improvement has been a hallmark of the FedRAMP process, and input from our stakeholders drives updates. We asked for public input at the inception of the program and received over 1,200 comments, which the program office used in launching FedRAMP,” Conrad said.

“Since then, the feedback from agencies, cloud service providers, third party assessment organizations and the public at large has been considered to improve the quality of the program,” she added. “As we move toward full operating capability, we will continue to ask for feedback.”

Although the FedRAMP program won’t reach full operational status until later this year, GSA has managed to run a simultaneous certification process even as it was developing the overall program. Within the last eight weeks it awarded the first two cloud service provider approvals: Autonomic Resources, a small business provider of Infrastructure as a Service capabilities was approved in late December, and CGI Federal, a major IT services provider, was certified in early February.

Nearly 80 other providers have filed applications for FedRAMP certification, but only about half of those have been judged ready to proceed with the next stage of the approval process. The essential element of trust inherent in the FedRAMP Program stems from “the rigor and the integrity of the security assessment that then can be leveraged across government,” Conrad said.

“FedRAMP is not a process for those who are looking for a quick and easy security assessment,” she told attendees at a recent cloud conference jointly presented by the Software and Information Industry Association and Deltek.

“We went through the health records process at HHS and it was challenging, and the FedRAMP challenge is similar,” Michael Binko, president and CEO of Kloudtrack and a panelist at the conference, told the E-Commerce Times.

“While the process may appear to favor larger firms, small firms can gain because it’s a government-wide program that is open to all,” he said, “and if you have your ducks in order you can qualify whether you are big or small. So it helps to open cloud opportunities for all firms.”

NIST Seeks Business Input

The National Institute of Standards and Technology (NIST) is also reaching out to the private sector for feedback on security standards for a variety of federal IT programs, including cloud deployments.

The agency is taking comments through March 1, 2013 on the latest revision of its Security and Privacy Controls for Federal Information Systems and Organizations reference document, which took two years to process.

“We have included a new feature that allows agencies to include a special security overlay to the security standards to deal with special situations. The Defense Department might include an overlay appropriate to a cloud-based email system for civilian staff, and a different one for an email system that embraces combat-oriented operations,” Ron Ross, FISMA Implementation Project leader at NIST, told the E-Commerce Times.

The concept of overlays allows organizations and communities of interest to develop specialized security plans that reflect specific missions, business functions, environments of operation, and information technologies. The feature makes it possible for agencies to adapt operations to the pace of change in IT.

“This revision is broadly based for a range of federal IT purposes, but it fits right into the FedRAMP process as a baseline document used in that program,” Ross said. NIST standards form the key building block for the FedRAMP criteria, in conformity with the Federal Information Security Management Act (FISMA).

Ross noted that during the drafting stage of the security document, NIST sought and received substantial feedback from industry as well as government and academic sources.

While the FedRAMP process has taken more than two years to mature, the input from industry has helped create a security bridge between government agencies and IT companies who offer cloud-based services to the federal market.

“As more government services and data are migrated to cloud environments, FedRAMP’s controls will increase agency confidence through the consistent, disciplined application of security practices,” said Donna Ryan, president of CGI Federal. “Improving real-time security visibility and transparency of operations between agencies and cloud providers is critical to achieving the benefits of cloud.”