OMB outlines approach for cloud computing security
In the latest follow-up to “cloud first” policy advocated by federal CIO Vivek Kundra and the Federal Cloud Computing Strategy issued last February, OMB released new federal policy guidance directing agencies to use the requirements, security assessment procedures, and cloud service authorization packages developed under the Federal Risk and Authorization Management Program (FedRAMP). In a memo to agency CIOs entitled “Security Authorization of Information Systems in Cloud Computing Environments“, current federal CIO Steven van Roekel (who replaced Kundra in the position in August) outlined key aspects and anticipated benefits of the FedRAMP program and detailed expectations for executive agencies and explained the role of the FedRAMP Joint Authorization Board (led collectively by the Department of Homeland Security, Department of Defense, and General Services Administration).
FedRAMP is a multi-agency collaborative effort managed by GSA that provides a standard process for assessing cloud service providers against FISMA requirements and the security control framework specified in Special Publication 800-53. Using this process, cloud service providers seeking to do business with government agencies hire approved third party assessment organizations to conduct independent reviews of their security and to produce system security plans, security assessment reports, and other Risk Management Framework documentation that can be used by the FedRAMP Joint Authorization Board23 to decide whether to authorize the cloud service providers for use by government agencies. This approach essentially establishes pre-authorized cloud computing providers so that individual agencies can avoid incurring the time and resource costs ordinarily required to perform an agency-specific assessment.
FedRAMP represents something of a departure from standard federal acquisition practices, as cloud service providers will apply directly to the FedRAMP program when seeking authorization, potentially allowing them to first complete authorization and then compete for government agency contracts for cloud services. In contrast, when GSA awarded the first federal cloud computing contracts in 2010 (to 11 companies to provide infrastructure as a service offered through Apps.gov), all of the service providers receiving prime contracts still needed to demonstrate FISMA compliance and achieve authorization to operate.