Federal Cloud Security Standards Take Shape


The federal government came one step closer Thursday to an official cloud security standard that dictates how federal agencies assess, authorize and monitor cloud computing products and services in a "do once, use many times" fashion the government says will cut costs, time and resources.

In a memo to all agency CIOs, Federal CIO Seven VanRoekel required all agencies use the Federal Risk and Authorization Management Program (FedRAMP) when purchasing cloud services. Agencies have until June 2012 to start using FedRAMP, which established a set of approved security controls that cloud services must meet, along with an assessment process for authorizing the use of these services within the federal government.

"Cloud computing offers a unique opportunity for the Federal Government to take advantage of cutting edge information technologies to dramatically reduce procurement and operating costs and greatly increase the efficiency and effectiveness of services provided to its citizens. Consistent with the President's International Strategy for Cyberspace and Cloud First policy, the adoption and use of information systems operated by cloud service providers (cloud services) by the Federal Government depends on security, interoperability, portability, reliability, and resiliency," VanRoekel wrote in the memo.

VanRoekel said executive departments and agencies will be required to adhere to FedRAMP when "procuring commercial and non-commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies, including systems provided or managed by other departments or agencies, contractors, or other sources" along with all cloud models and all services models.

The FedRAMP Web site indicates that the goals of the program are to speed the adoption of secure cloud solutions through reuse of assessments and authorizations; increase confidence in security of cloud solutions; achieve consistence security authorizations using a baseline set of agreed upon standards to be sued for cloud product approval; ensure consistent application of existing security practices; increase confidence in security assessments; and increase automation and near real-time data for continuous monitoring.

As for benefits, the federal government said it believes that adherence to FedRAMP will increase the re-use of existing security assessments across agencies; save significant costs, time and resources; boost real-time security visibility; create a uniform approach to risk-based assessment; enhance transparency between government and cloud service providers; and improve the trustworthiness, reliability, consistency and quality of the federal security authorization process, the program outlines on its Web site.

"FedRAMP will reduce duplicative efforts, inconsistencies and cost inefficiencies associated with the current security authorization process," VanRoekel wrote. "FedRAMP establishes a public-private partnership to promote innovation and the advancement of more secure information technologies. By using an agile and flexible framework, FedRAMP will enable the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale."