Federal Times Blogs
At&T has shown it can meet strict security standards for the cloud computing storage offerings it provides to federal agencies.
The certification is called the Federal Risk and Authorization Management Program (FedRAMP) and vendors must be FedRAMP certified to complete for certain cloud contracts. The FedRAMP program announced that AT&T had been granted provisional authorization.
Before this announcement only a handful of vendors have gone through the FedRAMP certification process: Hewlett-Packard, Lockheed Martin, Amazon Web Services, CGI and Autonomic Resources.
An initial group of nine organizations has been selected to provide independent security reviews of cloud products and services used in the federal government.
As part of the Federal Risk and Authorization program (FedRAMP), expected to launch June 6, vendors must work with an approved third party assessment organization, or 3PAO, to validate if they’ve implemented baseline security standards. For years, these security reviews have varied across government and have cost agencies millions of dollars each year.
Approved 3PAOs include (click here for contact information):
Department of Transportation Enterprise Service Center
Dynamics Research Corporation
J.D. Biggs and Associates Inc.
Knowledge Consulting Group, Inc.
SRA International, Inc.
Veris Group, LLC
A review board, comprised of officials from the National Institute of Standards and Technology and GSA, selected the first wave of 3PAOs. As part of the FedRAMP process, vendors must contract with a 3PAO to assess the security of their products and services.
“The accreditation process will eventually migrate to a board managed by private sector organizations,” according to FedRAMP concept of operations document. “After the private sector accreditation body has been established, the FedRAMP PMO (program management office) will establish a transition timeframe for all 3PAOs to be accredited by the privatized board.”
Federal officials have completed two test runs of the government’s new cloud computing assesment program to work out any kinks before the June launch.
The General Services Administration, which manages the Federal Risk and Authorization Management Program (FedRAMP), held training sessions for chief information officers from GSA and the Defense and Homeland Security departments to simulate their roles on an interagency review board, said Dave McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies. CIOs reviewed mock security assesments to discuss if they met FedRAMP standards.
Starting in June, the interagency board will review companies on GSA’s Infrastructure-as-a-Service contract and others that are providing similar services to agencies across government. Vendors that are not initially reviewed by the board will have to show they meet FedRAMP security standards through an approved independent assessor.
“We are trying to get the process worked out and tested,” McClure said. “How do we set this up so that we streamline [FedRAMP] and… become aggressive solution finders for answers to questions or problems?”
There is often miscommunication between the agency and vendor on what is acceptable proof to verify security of a service or product, said McClure, who spoke at an Association for Federal Information Resource Management event Friday morning. GSA will soon provide standard templates for agencies and cloud providers to use throughout the process, McClure said.
“It creates shared expectations up front… based on clear tangible documents that explain what needs to be done,” said Kathy Conrad, principal deputy associate administrator for GSA’s Office of Citizen Services and Innovative Technologies.
The interagency group of CIOs, called the joint authorization board, will have to meet virtually and in person to work through the FedRAMP review process, McClure said. The board will rely heavily on technical representatives to help review vendors’ security packets and streamline the review process.
Still, there are other issues that must be addressed, such as continuous monitoring.
GSA has not decided how the government will determine the ongoing security of its vendors. What information will be exchanged and who can access the information has not yet been determined, McClure said.
GSA is still working through program logistics, but CIOs are confident that FedRAMP will have many benefits.
FedRAMP will drive greater adoption of cloud computing in the federal government and spur increased competition for federal business, said DHS CIO Richard Spires, who also spoke at the event.
The program is also in line with the federal CIOs vision for shared services, said GSA CIO Casey Coleman.
“It’s not going to be perfect, but we have spent a lot of time trying to think through how to make sure this works well,” McClure said.
The General Services Administration provided more details on Tuesday about a new mandatory security assessment program for federal cloud providers.
A 47-page concept of operations document about the Federal Risk and Authorization Management Program (FedRAMP) managed by GSA, details how agencies and cloud vendors can initiate the FedRAMP process, how the program will work and what is required of all parties involved in the process.
One thing vendors should expect are new service level agreements that hold them legally responsible for meeting and maintaining FedRAMP requirements, according to the document.
But GSA doesn’t clearly define what services will be available through FedRAMP when “initial operational capabilities” are launched in June. For example, here’s a description of what’s to come this fiscal year: “Launch IOC (initial operational capabilities) with limited scope and cloud service provider” and “authorize” cloud service providers. What does ”limited scope” mean?
I also am curious to know how many companies have applied to become third party assessment organizations, or 3PAOs. These companies, if approved by a federal review board, will provide an independent assessment of vendors’ cloud systems and services under FedRAMP.
GSA wouldn’t say how many companies have applied to become 3PAOs let alone who they are, but GSA described the number of applicants as “a very healthy number.” GSA said it won’t complete the review process for 3PAOs until mid-April.
Amazon Web Services is the latest vendor to pass a rigorous security review for all federal cloud products and services.
So far, only CGI Federal and North Carolina-based Autonomic Resources have completed the Federal Risk and Authorization Management Program (FedRAMP). The governmentwide program was launched in June to standardize security reviews of commercial cloud products and is housed within the General Services Administration.
Under the FedRAMP program, Amazon was granted an Authority to Operate (ATO) by the Health and Human Services Department. This means HHS has certified that Amazon’s GovCloud and regional cloud service offerings meet federal security standards, and the company’s services are authorized for use at HHS. The purpose of FedRAMP is for other agencies to save time and money by using or building on the security review HHS has done.
More than 300 government agencies are currently using Amazon Web Services, Teresa Carlson, vice president of worldwide public sector, said in a statement.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements.
The Defense Information Systems Agency is one step closer to standing up cloud broker services for the Defense Department.
As DoD’s cloud broker, DISA will manage the use, performance and delivery of cloud services and negotiate contracts between cloud service providers and DoD consumers.
DISA announced Tuesday that it has developed a process for gathering and assessing DoD’s cloud computing requirements, evaluating vendors’ cloud offerings against contract requirements and has created a catalog for cloud services. In a June 2012 memo, DoD Chief Information Officer Teri Takai said all DoD components must acquire government or industry-provided cloud services using DISA, or obtain a waiver.
DISA will manage cloud services categorized as low or moderate in terms of potential impact on DoD operations in the event of a disaster or cyberattack. The agency will also ensure that cloud offerings comply with the department’s information assurance and cybersecurity policies.
DISA is using Federal Risk and Authorization Management Program (FedRAMP) standards to vet cloud providers. The security program provides baseline standards to approve cloud services and products for governmentwide use.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements.
So, far, CGI Federal and North Carolina-based Autonomic Resources are the only companies that have completed the FedRAMP security reviews. The companies will be the first FedRAMP-approved vendors to host DoD’s public data inside commercial data centers.
DoD approval of these companies to provide commercial cloud services is imminent, according to DISA. Both companies have already seen big business among civilian agencies and have spots on the General Services Administration’s cloud computing contract.
GSA is deciding whether to stand up similar cloud broker services for civilian agencies, which could entail private companies serving as brokers.
Federal officials are working to streamline the government’s security program for cloud products and services.
A critical part of the Federal Risk and Authorization Management Program (FedRAMP)mandates that cloud vendors hire a third-party organization to verify they meet federal security requirements. Today, the General Services Administration and the National Institute of Standards and Technology must first approve those third party-organizations, or 3PAOs. Then there’s the task of monitoring the performance of the 3PAOs and recommending whether to renew or revoke their status.
In a request for information to industry, GSA asked for input on how to privatize the accreditation process for 3PAOs. As FedRAMP evolves into a fully operational program within the next month or two, GSA is identifying ways to scale the program and get more cloud contractors through the FedRAMP process.
To date, there are 16 companies designated as approved 3PAOs, but that number is expected to increase. Only two vendors have completed the FedRAMP process.
GSA wants to contract with a privatized board to accredit 3PAOs, based on program standards. GSA wants industry to comment on the evaluation process for 3PAOs and how long those companies should have to comply with new accreditation standards. Those responses are due Feb. 26.
CGI Federal this month became the second vendor to complete a new security review process for all federal cloud products and services.
The Virginia-based company already provides cloud computing services for several agencies, including the Department of Homeland Security, the General Services Administration and the Environmental Protection Agency.
The Federal Risk and Authorization Management Program (FedRAMP) was launched in June to standardize security reviews of commercial cloud products and is housed within GSA.
North Carolina-based Autonomic Resources was the first company to receive what’s called a provisional authority to operate from FedRAMP’s joint board of CIOs. The provisional ATO proves a vendor’s cloud services not only meet federal baseline standards, but also are secure enough for use by DHS, DOD and GSA.
GSA has not said how many cloud vendors will be certified through FedRAMP this year, but as of last month more than 80 companies were awaiting security reviews.
North Carolina-based Autonomic Resources last week became the only firm to complete a new security review process for all federal cloud products and services.
The Federal Risk and Authorization Management Program (FedRAMP) was launched in June to standardize security reviews of commercial cloud products. The program is housed within the General Services Administration.
As part of FedRAMP, a joint board of chief information officers from the Homeland Security and Defense departments and GSA reviewed Autonomic’s cloud offering and whether it met federal security standards. The company had to verify that it met some 300 security requirements, including proof that its systems operators, who have access to systems that provide government services, use two-factor authentication. This requires users to provide two forms of evidence to verify who they are before accessing the systems.
Autonomic is the first cloud vendor to receive a so-called provisional authority to operate (ATO) from the joint board of CIOs. The provisional ATO proves a vendor’s cloud services not only meet federal baseline standards, but also are secure enough for use by DHS, DOD and GSA.
The provisional ATOs are expected to speed adoption of cloud services throughout government because other agencies can accept the FedRAMP reviews and assess only their unique security requirements, as opposed to starting from scratch. “By using FedRAMP and eliminating redundant security assessments, agencies can save an estimated $200,000 per authorization,” GSA’s Dave McClure said in a statement.
By now, the administration had hoped to complete at least three FedRAMP reviews. In September, McClure said one challenge is that many vendors don’t understand federal security requirements.
The joint board expects to issue additional ATOs early this year, according to GSA.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements. Agencies can use FedRAMP guidelines to vet the security of their own contractors, or wait for FedRAMP reviews to be completed.
A program intended to standardize the government’s security certification of cloud products and services is now accepting vendor applications.
Starting Wednesday, cloud service providers and agencies can apply to have products and services vetted under the Federal Risk and Authorization program (FedRAMP). The program is managed by the General Services Administration.
Companies that already provide cloud technology to agencies under GSA’s Infrastructure-as-a-Service contract will be among the first to have their technology vetted through FedRAMP. Companies on existing government contracts that provide popular cloud services, such as email services, will get priority vetting early on.
By June 2014, all cloud services and products in use at federal agencies or in an active acqusition process must meet FedRAMP requirements. Click here for more information about the FedRAMP process.