Federal Times Blogs
Federal officials are working to streamline the government’s security program for cloud products and services.
A critical part of the Federal Risk and Authorization Management Program (FedRAMP)mandates that cloud vendors hire a third-party organization to verify they meet federal security requirements. Today, the General Services Administration and the National Institute of Standards and Technology must first approve those third party-organizations, or 3PAOs. Then there’s the task of monitoring the performance of the 3PAOs and recommending whether to renew or revoke their status.
In a request for information to industry, GSA asked for input on how to privatize the accreditation process for 3PAOs. As FedRAMP evolves into a fully operational program within the next month or two, GSA is identifying ways to scale the program and get more cloud contractors through the FedRAMP process.
To date, there are 16 companies designated as approved 3PAOs, but that number is expected to increase. Only two vendors have completed the FedRAMP process.
GSA wants to contract with a privatized board to accredit 3PAOs, based on program standards. GSA wants industry to comment on the evaluation process for 3PAOs and how long those companies should have to comply with new accreditation standards. Those responses are due Feb. 26.
CGI Federal this month became the second vendor to complete a new security review process for all federal cloud products and services.
The Virginia-based company already provides cloud computing services for several agencies, including the Department of Homeland Security, the General Services Administration and the Environmental Protection Agency.
The Federal Risk and Authorization Management Program (FedRAMP) was launched in June to standardize security reviews of commercial cloud products and is housed within GSA.
North Carolina-based Autonomic Resources was the first company to receive what’s called a provisional authority to operate from FedRAMP’s joint board of CIOs. The provisional ATO proves a vendor’s cloud services not only meet federal baseline standards, but also are secure enough for use by DHS, DOD and GSA.
GSA has not said how many cloud vendors will be certified through FedRAMP this year, but as of last month more than 80 companies were awaiting security reviews.
North Carolina-based Autonomic Resources last week became the only firm to complete a new security review process for all federal cloud products and services.
The Federal Risk and Authorization Management Program (FedRAMP) was launched in June to standardize security reviews of commercial cloud products. The program is housed within the General Services Administration.
As part of FedRAMP, a joint board of chief information officers from the Homeland Security and Defense departments and GSA reviewed Autonomic’s cloud offering and whether it met federal security standards. The company had to verify that it met some 300 security requirements, including proof that its systems operators, who have access to systems that provide government services, use two-factor authentication. This requires users to provide two forms of evidence to verify who they are before accessing the systems.
Autonomic is the first cloud vendor to receive a so-called provisional authority to operate (ATO) from the joint board of CIOs. The provisional ATO proves a vendor’s cloud services not only meet federal baseline standards, but also are secure enough for use by DHS, DOD and GSA.
The provisional ATOs are expected to speed adoption of cloud services throughout government because other agencies can accept the FedRAMP reviews and assess only their unique security requirements, as opposed to starting from scratch. “By using FedRAMP and eliminating redundant security assessments, agencies can save an estimated $200,000 per authorization,” GSA’s Dave McClure said in a statement.
By now, the administration had hoped to complete at least three FedRAMP reviews. In September, McClure said one challenge is that many vendors don’t understand federal security requirements.
The joint board expects to issue additional ATOs early this year, according to GSA.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements. Agencies can use FedRAMP guidelines to vet the security of their own contractors, or wait for FedRAMP reviews to be completed.
A program intended to standardize the government’s security certification of cloud products and services is now accepting vendor applications.
Starting Wednesday, cloud service providers and agencies can apply to have products and services vetted under the Federal Risk and Authorization program (FedRAMP). The program is managed by the General Services Administration.
Companies that already provide cloud technology to agencies under GSA’s Infrastructure-as-a-Service contract will be among the first to have their technology vetted through FedRAMP. Companies on existing government contracts that provide popular cloud services, such as email services, will get priority vetting early on.
By June 2014, all cloud services and products in use at federal agencies or in an active acqusition process must meet FedRAMP requirements. Click here for more information about the FedRAMP process.
An initial group of nine organizations has been selected to provide independent security reviews of cloud products and services used in the federal government.
As part of the Federal Risk and Authorization program (FedRAMP), expected to launch June 6, vendors must work with an approved third party assessment organization, or 3PAO, to validate if they’ve implemented baseline security standards. For years, these security reviews have varied across government and have cost agencies millions of dollars each year.
Approved 3PAOs include (click here for contact information):
Department of Transportation Enterprise Service Center
Dynamics Research Corporation
J.D. Biggs and Associates Inc.
Knowledge Consulting Group, Inc.
SRA International, Inc.
Veris Group, LLC
A review board, comprised of officials from the National Institute of Standards and Technology and GSA, selected the first wave of 3PAOs. As part of the FedRAMP process, vendors must contract with a 3PAO to assess the security of their products and services.
“The accreditation process will eventually migrate to a board managed by private sector organizations,” according to FedRAMP concept of operations document. “After the private sector accreditation body has been established, the FedRAMP PMO (program management office) will establish a transition timeframe for all 3PAOs to be accredited by the privatized board.”
Federal officials have completed two test runs of the government’s new cloud computing assesment program to work out any kinks before the June launch.
The General Services Administration, which manages the Federal Risk and Authorization Management Program (FedRAMP), held training sessions for chief information officers from GSA and the Defense and Homeland Security departments to simulate their roles on an interagency review board, said Dave McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies. CIOs reviewed mock security assesments to discuss if they met FedRAMP standards.
Starting in June, the interagency board will review companies on GSA’s Infrastructure-as-a-Service contract and others that are providing similar services to agencies across government. Vendors that are not initially reviewed by the board will have to show they meet FedRAMP security standards through an approved independent assessor.
“We are trying to get the process worked out and tested,” McClure said. “How do we set this up so that we streamline [FedRAMP] and… become aggressive solution finders for answers to questions or problems?”
There is often miscommunication between the agency and vendor on what is acceptable proof to verify security of a service or product, said McClure, who spoke at an Association for Federal Information Resource Management event Friday morning. GSA will soon provide standard templates for agencies and cloud providers to use throughout the process, McClure said.
“It creates shared expectations up front… based on clear tangible documents that explain what needs to be done,” said Kathy Conrad, principal deputy associate administrator for GSA’s Office of Citizen Services and Innovative Technologies.
The interagency group of CIOs, called the joint authorization board, will have to meet virtually and in person to work through the FedRAMP review process, McClure said. The board will rely heavily on technical representatives to help review vendors’ security packets and streamline the review process.
Still, there are other issues that must be addressed, such as continuous monitoring.
GSA has not decided how the government will determine the ongoing security of its vendors. What information will be exchanged and who can access the information has not yet been determined, McClure said.
GSA is still working through program logistics, but CIOs are confident that FedRAMP will have many benefits.
FedRAMP will drive greater adoption of cloud computing in the federal government and spur increased competition for federal business, said DHS CIO Richard Spires, who also spoke at the event.
The program is also in line with the federal CIOs vision for shared services, said GSA CIO Casey Coleman.
“It’s not going to be perfect, but we have spent a lot of time trying to think through how to make sure this works well,” McClure said.
As many as 20 cloud computing vendors will be certified for federal use under a new security assessment program when it launches in June.
The General Services Administration, which manages the Federal Risk and Authorization Management Program (FedRAMP), has said that companies already providing cloud technology to agencies under GSA’s Infrastructure-as-a-Service contract will be among the first to have their technology vetted through the program.
Vendors on GSA’s upcoming Email-as-a-Service contract will also be given priority. After being vetted and meeting any additional standards to ensure security, companies are approved to offer their products and services for sale to agencies. Anywhere from six to 20 contractors will go through FedRAMP in the first six to eight months, said Dave McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies.
“It is not going to be a situation where we will be drowning in FedRAMP applications,” McClure said in an interview this month. “We want to roll this out very cautiously and carefully, [and] make sure it works.”
By fiscal 2014, FedRAMP will be a sustaining program and all products are expected to go through the process, he said.
FedRAMP security requirements, largely based on standards set by the National Institute of Standards and Technology, will apply to information technology systems at the low and moderate security levels.
For example, vendors must be able to prove that they use two-factor authentication. Their systems operators, must have two forms of evidence, such as a password and identification card, to verify who they are before accessing systems that provide government services.
Vendors and agencies will have a year to comply with updated security standards, which NIST expects to release in July.
NIST identified gaps in previous guidance to address new challenges, such as insider threats, supply chain risk, and mobile and cloud computing technologies, said NIST fellow Ron Ross in an interview.
NIST standards address the need for cloud vendors to detail where government data is physically stored and processed and to provide a clear contingency plan in case of a terrorist attack or cyber incident.
According to the most recent data from 2009, agencies spend $300 million annually to test the security of IT systems and approve their use in the federal government.
“One of the promises and the benefits of FedRAMP is that we think it will save about 30 to 40 percent of governmentwide costs associated with assessing, authorizing, procuring and continuously monitoring these cloud solutions,” federal Chief Information Officer Steven VanRoekel said in December when announcing FedRAMP. The government spends “hundreds of millions of dollars a year securing information technology systems, and much of that work is duplicative, inconsistent and time-consuming.”
FedRAMP will allow agencies to reduce the number of people it takes to assess and authorize the security of its systems by 50 percent and cut the assessment time by 75 percent, according to the Office of Management and Budget.
The National Institute of Standards and Technology on Tuesday released proposed revisions to its requirements that govern how agencies secure their federal information systems.
Proposed changes to Special Publication 800-53, Revision 4, address new challenges that agencies face, including insider threats, supply chain risk, mobile and cloud computing technologies, and other cybersecurity issues and challenges, NIST said in a news release.
“The changes we propose in Revision 4 are directly linked to the current state of the threat space — the capabilities, intentions and targeting activities of adversaries — and analysis of attack data over time,” NIST fellow Ron Ross said in a statement.
“Many organizations are concerned about advanced persistent threats, so we added new controls that will allow organizations to use different strategies to combat those types of threats,” Ross said.
The proposed revisions add new security controls, or descriptions of what agencies must do to properly manage an information system, clarify security control requirements and enhance others.
Once approved, the changes will be used by the Federal Risk and Authorization Management Program (FedRAMP) to asses the security of cloud computing service providers. The administration plans to begin certifying cloud computing solutions under the mandatory security assessment program in June.
The public comment period for NIST’s revisions is from Feb. 28 to April 6, and the final document is expected to be released in July, after FedRAMP reviews begin.
It isn’t clear how long cloud vendors will have to adjust to the changes. And those details were not included in a new charter that defines the role of FedRAMP’s Joint Authorization Board, composed of chief information officers at the General Services Administration and Homeland Security and Defense departments.
The board will prioritize which cloud vendors will be first to undergo FedRAMP reviews, define security authorization requirements for vendors and provide the criteria for approving independent assessors to review the security of cloud solutions. The board is required to meet formally at least twice a year and appoint technical representatives that meet on a monthly basis.
The General Services Administration late last week released security standards cloud solutions must meet before operating within federal agencies.
The security controls are part of the Federal Risk Authorization and Management Program (FedRAMP) launched by the federal chief information officer in December. FedRAMP is intended to quickly ensure that commercial cloud computing technology meets federal security standards so that agencies can more readily adopt it.
The security requirements, largely based on standards set by the National Institute of Standards and Technology, will apply to information technology systems at the low and moderate security levels. They address issues such as continuous monitoring and vendors notifying system administrators and FedRAMP of any malicious code.
GSA officials will provide more details about FedRAMP and the security controls at a briefing on Wednesday.
Starting next month, GSA will begin releasing documents that detail how the requirements of each security control will be met and how the implementation of each control will be assessed and tested. On Feb. 7, GSA will release the FedRAMP Concepts of Operations.
Federal Chief Information Officer Steven VanRoekel is expected to make an announcement on Thursday detailing the administration’s long-awaited Federal Risk and Authorization Management Program (Fedramp).
VanRoekel will be joined by Dave McClure of the General Services Administration, Department of Homeland Security CIO Richard Spires and Charles Romine of the National Institute of Standards and Technology, the Office of Management and Budget said in a news release. They will provide an update about efforts to reform federal information technology and details about how Fedramp will allow the government to more easily purchase and use cloud technologies.
The goal of Fedramp is to help agencies overcome their security concerns with cloud computing. A joint authorization board, whose members include CIOs at DHS, GSA and the Defense Department, are responsible for authorizing the use of vendors’ cloud computing systems at federal agencies. The board is tasked with making final decisions about Fedramp security controls, policies, and procedures used to determine the security level of cloud computing products.
Rather than seeking certifications from multiple agencies, Fedramp-certified vendors will only have to meet standard security requirements once that qualify them to do business with multiple agencies.
Fedramp launched in 2009 and was expected to be implemented in late 2010, according to a September report by the Government Accountability Office. But GSA and OMB said the range of stakeholders involved slowed down the process.
The report also includes program goals:
- Develop a cloud computing security requirements baseline that is used across the federal government.
-Develop and implement processes for joint security assessment, authorizations, and continuous monitoring of cloud computing services.
- Promote consistent interpretation of cloud service provider authorization packages through a standard set of processes and evaluation criteria.
- Improve consistency and efficiency of continuous monitoring of cloud computing systems and foster cross-agency knowledge sharing and communication of best practices.
- Obtain interagency vetting and buy-in of the approach to security assessment, authorizations, and continuous monitoring of cloud computing services.