Amazon Web Services is the latest vendor to pass a rigorous security review for all federal cloud products and services.
So far, only CGI Federal and North Carolina-based Autonomic Resources have completed the Federal Risk and Authorization Management Program (FedRAMP). The governmentwide program was launched in June to standardize security reviews of commercial cloud products and is housed within the General Services Administration.
Under the FedRAMP program, Amazon was granted a provisional Authority to Operate (ATO) by the Health and Human Services Department. This means HHS has certified that Amazon’s GovCloud and regional cloud service offerings meet federal security standards, and the company’s services are authorized for use at HHS. The purpose of FedRAMP is for other agencies to save time and money by using or building on the security review HHS has done.
More than 300 government agencies are currently using Amazon Web Services, Teresa Carlson, vice president of worldwide public sector, said in a statement.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements.
The General Services Administration is moving forward with plans to stand up a cloud broker contract for acquiring and managing the performance of federal cloud services.
The Department of Homeland Security is one of two agencies that has committed to testing GSA’s cloud broker model in a pilot program expected to launch this fall, said GSA’s Mark Day. Speaking Monday at the annual Management of Change conference in Maryland, Day said GSA will award one contract to test the concept of a broker model and reevaluate the pilot by year’s end to determine how it could be expanded.
GSA has not yet defined all the services a cloud broker would provide, but the National Institute of Standards and Technology defines a cloud broker as “an entity that manages the use, performance and delivery of cloud services and negotiates relationships between cloud providers and cloud consumers.” Technology research firm Gartner defines cloud brokerage as a business model in which an entity adds value to one or more cloud services on behalf of one or more cloud users.
Some question whether the cloud broker model will add value or end up costing agencies more money. In a Feb. 14 letter to Rep. Doris Matsui, R-Calif., GSA’s Lisa Austin said the cloud broker model could be more effective in creating ongoing competition among cloud providers, rather than awarding single contracts for each cloud service.
“Part of the pilot is really understanding what’s the right role, [and] what’s the right process” for a cloud broker model, Day told Federal Times. ”We think we have an idea, but now we’ve got to test it.”
Day made clear what cloud brokers would not do inherently governmental functions, such as contracting. It isn’t clear to what extent brokers would negotiate services between agencies and cloud service providers, but the hope is that cloud brokers will increase vendor competition and reduce pricing and reduce the complexities of acquiring cloud services and integrating them with existing services.
Roughly 15 agencies are part of the cloud broker discussion, Day said. He would not name the second agency that has committed to testing the broker model because the agency has not announced it publicly.
The challenge for GSA has been attracting business to some of its existing federal contracts, rather than agencies launching their own contracts or using other agencies’ contracts. To garner greater use of its strategic sourcing contracts and future use of its cloud broker contract, GSA is meeting with agencies to determine their commitment to participate in market research and use the contracts, Day said. GSA can better leverage the federal government’s buying power, and vendors have an idea of what’s possible, in terms of business volume on a contract, he said.
The Defense Information Systems Agency is one step closer to standing up cloud broker services for the Defense Department.
As DoD’s cloud broker, DISA will manage the use, performance and delivery of cloud services and negotiate contracts between cloud service providers and DoD consumers.
DISA announced Tuesday that it has developed a process for gathering and assessing DoD’s cloud computing requirements, evaluating vendors’ cloud offerings against contract requirements and has created a catalog for cloud services. In a June 2012 memo, DoD Chief Information Officer Teri Takai said all DoD components must acquire government or industry-provided cloud services using DISA, or obtain a waiver.
DISA will manage cloud services categorized as low or moderate in terms of potential impact on DoD operations in the event of a disaster or cyberattack. The agency will also ensure that cloud offerings comply with the department’s information assurance and cybersecurity policies.
DISA is using Federal Risk and Authorization Management Program (FedRAMP) standards to vet cloud providers. The security program provides baseline standards to approve cloud services and products for governmentwide use.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements.
So, far, CGI Federal and North Carolina-based Autonomic Resources are the only companies that have completed the FedRAMP security reviews. The companies will be the first FedRAMP-approved vendors to host DoD’s public data inside commercial data centers.
DoD approval of these companies to provide commercial cloud services is imminent, according to DISA. Both companies have already seen big business among civilian agencies and have spots on the General Services Administration’s cloud computing contract.
GSA is deciding whether to stand up similar cloud broker services for civilian agencies, which could entail private companies serving as brokers.
Federal officials are working to streamline the government’s security program for cloud products and services.
A critical part of the Federal Risk and Authorization Management Program (FedRAMP)mandates that cloud vendors hire a third-party organization to verify they meet federal security requirements. Today, the General Services Administration and the National Institute of Standards and Technology must first approve those third party-organizations, or 3PAOs. Then there’s the task of monitoring the performance of the 3PAOs and recommending whether to renew or revoke their status.
In a request for information to industry, GSA asked for input on how to privatize the accreditation process for 3PAOs. As FedRAMP evolves into a fully operational program within the next month or two, GSA is identifying ways to scale the program and get more cloud contractors through the FedRAMP process.
To date, there are 16 companies designated as approved 3PAOs, but that number is expected to increase. Only two vendors have completed the FedRAMP process.
GSA wants to contract with a privatized board to accredit 3PAOs, based on program standards. GSA wants industry to comment on the evaluation process for 3PAOs and how long those companies should have to comply with new accreditation standards. Those responses are due Feb. 26.
CGI Federal this month became the second vendor to complete a new security review process for all federal cloud products and services.
The Virginia-based company already provides cloud computing services for several agencies, including the Department of Homeland Security, the General Services Administration and the Environmental Protection Agency.
The Federal Risk and Authorization Management Program (FedRAMP) was launched in June to standardize security reviews of commercial cloud products and is housed within GSA.
North Carolina-based Autonomic Resources was the first company to receive what’s called a provisional authority to operate from FedRAMP’s joint board of CIOs. The provisional ATO proves a vendor’s cloud services not only meet federal baseline standards, but also are secure enough for use by DHS, DOD and GSA.
GSA has not said how many cloud vendors will be certified through FedRAMP this year, but as of last month more than 80 companies were awaiting security reviews.
North Carolina-based Autonomic Resources last week became the only firm to complete a new security review process for all federal cloud products and services.
The Federal Risk and Authorization Management Program (FedRAMP) was launched in June to standardize security reviews of commercial cloud products. The program is housed within the General Services Administration.
As part of FedRAMP, a joint board of chief information officers from the Homeland Security and Defense departments and GSA reviewed Autonomic’s cloud offering and whether it met federal security standards. The company had to verify that it met some 300 security requirements, including proof that its systems operators, who have access to systems that provide government services, use two-factor authentication. This requires users to provide two forms of evidence to verify who they are before accessing the systems.
Autonomic is the first cloud vendor to receive a so-called provisional authority to operate (ATO) from the joint board of CIOs. The provisional ATO proves a vendor’s cloud services not only meet federal baseline standards, but also are secure enough for use by DHS, DOD and GSA.
The provisional ATOs are expected to speed adoption of cloud services throughout government because other agencies can accept the FedRAMP reviews and assess only their unique security requirements, as opposed to starting from scratch. “By using FedRAMP and eliminating redundant security assessments, agencies can save an estimated $200,000 per authorization,” GSA’s Dave McClure said in a statement.
By now, the administration had hoped to complete at least three FedRAMP reviews. In September, McClure said one challenge is that many vendors don’t understand federal security requirements.
The joint board expects to issue additional ATOs early this year, according to GSA.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements. Agencies can use FedRAMP guidelines to vet the security of their own contractors, or wait for FedRAMP reviews to be completed.
To date, the Army has migrated 500,000 email accounts to the cloud, according to a news release.
The Army expects to move a total of 1.6 million email users from disparate local servers to centralized servers operated by the Defense Information Systems Agency by March 2013. The Army projects the move, which began January 2011, will save $380 million through fiscal year 2017.
The migration hasn’t come without challenges, delays and much scrutiny. The Army was forced to suspend the migration in December after concerned lawmakers temporarily withheld funding for the program, pending a detailed review.
About 520,000 people across the Defense Department, including the Joint Staff, U.S. European Command and DISA, have migrated to the enterprise email service, according to DISA.
The Defense Department will expand its use of cloud computing through a four-step plan, which includes incentivizing DoD components to use shared cloud services and training acquisition professionals to procure cloud technologies.
DoD’s Cloud Computing Strategy released Wednesday outlines a phased approach for adopting both commercial and government-provided cloud solutions. According to the strategy, DoD will:
- Foster adoption of departmentwide cloud services through an outreach campaign to increase the number of cloud consumers and providers.
- Optimize data center consolidation by eliminating duplicative software and providing information technology services, hosted in the data centers, in a standard way.
- Incorporate cloud hardware and software into select DoD data centers.
- Deliver cloud services via DoD components, vendors or other agencies.
DoD cloud services will include messaging and collaboration capabilities, such as instant message, chat, email, and web conferencing and integrated voice, video and data services over the Internet.
The Defense Information Systems Agency will manage and negotiate cloud services on DoD’s behalf, but DoD chief information officer Teri Takai will be the final authority and provide oversight for the use of enterprise cloud services, according to the strategy. The cloud strategy is a key part of DoD efforts to provide seamless access to its data anytime, anywhere on any device.
“Cloud computing will enable the Department to consolidate and share commodity IT functions resulting in a more efficient use of resources,” the strategy said. However, funding, data migration from legacy systems to the cloud and security are among the challenges facing DoD.
One concern is that moving DoD data into a vendor’s cloud environment that operates outside of DoD’s operational control can increase security risks.
Vendors will have to provide visibility of real-time use and consumption of data in their cloud environment that meets DoD standards. Cloud providers hosting DoD data off site will also have to integrate their continuous monitoring and response capabilities with U.S. Cyber Command’s systems for protecting DoD information.
DoD will not use commercial cloud services to provide mission critical data or services that if lost, compromised or interrupted could have severe or catastrophic effects on DoD operations.
A program intended to standardize the government’s security certification of cloud products and services is now accepting vendor applications.
Starting Wednesday, cloud service providers and agencies can apply to have products and services vetted under the Federal Risk and Authorization program (FedRAMP). The program is managed by the General Services Administration.
Companies that already provide cloud technology to agencies under GSA’s Infrastructure-as-a-Service contract will be among the first to have their technology vetted through FedRAMP. Companies on existing government contracts that provide popular cloud services, such as email services, will get priority vetting early on.
By June 2014, all cloud services and products in use at federal agencies or in an active acqusition process must meet FedRAMP requirements. Click here for more information about the FedRAMP process.
The National Institute for Standards and Technology wants to demystify cloud computing.
NIST released a special publication on Tuesday to “explain cloud systems in plain language” and provide information technology executives with recommendations, concerns and the benefits of migrating to the cloud.
The 81-page document explains the level of service agencies can expect in various cloud environments and what potential pitfalls they should be aware of, such as abrupt changes in service agreements by the cloud providers and scheduled service outages, depending on the type of cloud.
- Develop a plan for migrating data to and from the cloud and for accessing the data once it is in the cloud.
- Require that a cloud provider offer a mechanism for deleting user data on request and providing evidence that the data was deleted.
- Request that a provider allow visibility into the operating services that affect your data or operations on that data, including monitoring of the system’s welfare.