Government Closes In On Cloud Computing Security Regulations5:25 PM EST Wed. Nov. 03, 2010
The White House this week laid out preliminary cloud computing security guidelines as part of the Federal Risk and Authorization Management Program (FedRAMP).
In a 90-page document, the Obama administration drafted the potential security requirements needed to help federal government agencies adopt cloud computing technologies and services and reduce redundant processes. The document, titled "Proposed Security Assessment and Authorization for U.S. Government Cloud Computing," looks to identify security and risk assessment requirements that must be met by in order for the government to move to the cloud.
The Obama administration and Federal CIO Vivek Kundra have said that cloud computing is among the top IT plans within the federal government, but before government-wide adoption begins a common set of security requirements is needed.
In the document, three key cloud computing areas are covered. It offers a list of baseline security controls for cloud computing systems; processes through which authorized cloud systems will be continual monitored; and propose operational approaches for assessments and authorizations of cloud computing systems. The FedRAMP specifications look to put forth a uniform set of requirements to be followed by vendors and contractors. The system will utilize a standardized approach for security authorizations to streamline the cloud procurement process across different agencies.
"As part of the President’s Accountable Government Initiative, we are working to close the IT gap between the private and public sectors, and leverage technology to make government work harder, smarter, and faster for the American people," Kundra said in a statement. "By simplifying how agencies procure cloud-computing solutions, we are paving the way for more cost-effective and energy-efficient service delivery for the public, while reducing the federal government’s data center footprint."
Next: Cloud Security Is Big Challenge
According to the General Services Administration (GSA), which helped draft the document, FedRAMP was established to provide a standard approach to assessing and authorizing cloud computing services and products and to allow joint authorizations and continuous security monitoring services for government and commercial cloud systems intended for multiagency use. Using joint authorizations will enable a common security risk model that can be leveraged across the federal government to create a consistent baseline for cloud-based technologies, the GSA said.
"Ensuring data and systems security is one of the biggest and most important challenges for federal agencies moving to the cloud," David McClure, GSA's Associate Administrator for Citizen Services and Innovative Technologies, said in a statement. "FedRAMP's uniform set of security authorizations can eliminate the need for each agency to conduct duplicative, time-consuming, costly security reviews."
The GSA and the Chief Information Officers Council are seeking public comment on the guidelines and requirements by December 3.
The drafted security requirements follows a May plea by Kundra for standards around security, interoperability and data portability before the U.S. government can fully embrace cloud computing. At that time, Kundra said that for the cloud to truly take hold in the government the feds must develop standards to avoid inefficiencies and security holes.
"What's important today is the [development of standards] in the area of security, interoperability and data portability" to ensure information is protected; clouds and the computer applications they support can work together; and content can be moved within and among different clouds without jeopardizing access to or integrity of the data, Kundra said during his keynote speech at the Cloud Computing Forum and Workshop hosted by the National Institute of Standards and Technology (NIST).