Why you can’t decide (And what to do about it)
May 27, 2016
Commentary: The rapidly changing digital world can leave tech executives feeling overwhelmed when they're faced with charting the course of their company's cybersecurity strategy.
David Stegon was a staff reporter for FedScoop and StateScoop from 2011-2014.
The White House released a memorandum on Thursday outlining the Federal Risk Authorization Management Program (FedRAMP), a day short of the one-year anniversary of the release of the Office of Management and Budget’s 25-Point Plan.
FedRAMP will create a platform for federal agencies to secure cloud-computing solutions when it officially goes live within the next year, a move that Federal Chief Information Officer Steven VanRoekel said will save the government 30 to 40 percent on cloud computing costs.
VanRoekel announced the program in a conference call with reporters along with GSA Associate Administrator David McClure, Department of Homeland Security CIO Richard Spires, and NIST Director for the Information Technology Laboratory Charles Romine.
"FedRAMP introduces an innovative policy approach to develop trusted relationships between agencies and providers," said VanRoekel. "Federal government spends hundreds of millions of dollars securing IT systems; much [of that] is duplicative, inconsistent and time consuming.”
FedRAMP would provide joint authorizations and continuous security monitoring of shared IT services for federal departments and agencies that enter contracts with outside providers, including those offering cloud computing solutions, and will be mandatory for all federal agencies once it is launched. Spires said he estimates that FedRAMP will address up to 90 percent of agencies FISMA requirements.
A joint authorization board of the Defense and Homeland Security departments and GSA will define and update the security authorization requirements on an ongoing basis. This board wil also approve accreditation criteria for third-party organizations that will provide independent assessments of cloud service providers' compliance with FedRAMP security requirements.
He added the FedRAMP authorizations on services will be at the low and moderate levels of the Federal Information Security Management Act.
Spires said the FedRAMP development process has been collaborative in order to build trust with agency CIOs.
"They will need to make adjustments as they see fit for their agency," he said. "I certainly believe with all that we've done with these controls and adding additional controls from the stand point of cloud based services that we are secure for the FISMA low and moderate levels there is a high degree of confidence. We've had these discussions in the CIO Council and I think there is a lot of excitement actually to move forward to leverage this. Frankly, as CIOs we are paying too much for all of this certification and accreditation work we do with security and we are looking for ways to streamline this."
According to the memo, FedRAMP will provide a cost-effective, risk-based approach for the adoption and use of cloud services by making available to Executive departments and agencies:
By using an agile and flexible framework, FedRAMP will enable the Federal Government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale, according to the memo.
The plan calls for GSA to create a program management office under the Office of Citizen Services and Innovative Technologies. The PMO will: