The first set of third party service providers able to provide the federal government with cloud computing services as part of the Federal Risk and Authorization Management Program will be announced next month, General Services Administration Associate Administrator of the Office of Citizen Services and Innovative Technologies Dave McClure said Friday.
Speaking at the first public meeting of FedRAMP’s Joint Authorization Board, McClure said the JAB has used baseline standards and controls already in place with the National Institute of Standards and Technology’s 800 series of security reports.
“We are using a very rigid process, using ISO assessments and a variety of other standards in authorizing these companies,” McClure said.
The JAB consists of the chief information officers from the Department of Defense, Department of Homeland Security and GSA, along with official designees of each of those offices and the program’s program management officer within GSA.
Both GSA CIO Casey Coleman and DHS CIO Richard Spires took part in the meeting along with Defense Deputy CIO for Information Management, Integration and Technology David DeVries, who sat in for CIO Teri Takai. The JAB’s meeting was hosted by the Association for Federal Information Resources Management at the Crowne Hamilton Hotel in Washington, D.C.
Throughout the program, the JAB will provide the technical knowledge and skills that gives a government-wide baseline approach to address the security needs associated with placing federal data in cloud computing solutions.
Additionally, the JAB will provide joint provisional security authorizations of cloud solutions using this baseline approach. This provisional authorization will create an authorization package that can be leveraged by individual agencies across the federal government to grant an authority to operate at their respective organizations.
Notes from the meeting:
- Coleman said the authority to operate will still lie with the agency CIOs, but the JAB can provide a provisional authorization that the agency can then decide if it fits their requirements. “The provisional authority expects to be an 80 to 90 percent solution that can give a faster time to operation if an agency chooses to go in that way,” she said.
- Spires said he is in deep discussions in regards to continuous monitoring solutions within the program. He said he expects within the next month to two months that additional guidance will be released for cloud services providers as they prepare to launch for the program.
- Coleman said the process for providers will speed up if the providers understand the regulatory framework they need to work in.
- DeVries said that the full capabilities for the program will not be fully seen until more than a year from now as the program goes through a “crawl, walk, run” build-up. “We’re going to come out with more capabilities that can be utilized spending less money and less time and that’s what is truly exciting.”
- McClure: “We’re not lowering the bar for security in the federal government – if anything we’re raising it.”
- McClure: All of the information gathered in the FedRAMP program will be collected into a single place that agency officials (think CISOs) can access to better understand security issues and trends.
- DeVries said this group of security controls won’t be “the panacea,” but will be a starting point to be built upon.
FedRAMP aims to reduce duplicative efforts, inconsistencies and cost inefficiencies associated with the current security authorization process. The program will also establish a public-private partnership to promote innovation and the advancement of more secure information technologies.
By using an agile and flexible framework, FedRAMP will enable the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale.
FedRAMP was first announced in 2010 as part of the Office of Management and Budget’s 25 Point Plan to Reform Federal IT, authored by former Federal Chief Information Officer Vivek Kundra and now OMB Acting Director Jeff Zients.
The White House released a memorandum in December outlining the program that Federal CIO Steven VanRoekel said will save the government 30 to 40 percent on cloud computing costs.