Roman Sakhno - Fotolia
The Federal Risk and Authorization Program was launched in June 2012 to support the adoption of standardized cloud services among federal agencies in response to President Barack H. Obama's "cloud first" policy -- a move intended to reduce the government's IT spending by cutting the number of data centers in use and sharing computing resources.
To continue working with the federal government, cloud service providers (CSPs) had to apply for an authorization to operate (ATO) via either the FedRAMP Joint Authorization Board (JAB) or directly through a government agency by June 5, 2014. It's a feat that 12 CSPs have completed to date -- Akamai Technologies, Amazon Web Services, HP, IBM, Lockheed Martin, Microsoft and Oracle among them -- with dozens more stuck in a lengthy queue.
While FedRAMP was created to save federal agencies both time and money ($40 million so far based on FISMA reporting), the accreditation program has been touted in some corners as a standards-based cloud security approach that could serve as a model for other CSP environments. In June, FedRAMP director Maria Roat said contacts from private industry and governments around the world are looking to build standards-based security programs on the back of FedRAMP. Such a development may prove vital to the cloud industry, as security has remained the number one concern for most organizations offloading services to cloud environments.
Continuous monitoring of cloud systems
FedRAMP accreditation promises to ease security concerns by ensuring cloud environments maintain a proper security posture. Joe Vehemente, the service line manager of Akamai Technologies' federal division, said FedRAMP was one of the "broadest and deepest security commitments" his company has ever made. The content delivery and cloud infrastructure services provider was granted a provisional ATO in 2013, a feat that will have to be consistently repeated through monthly, quarterly and yearly reviews due to the continuous monitoring aspect of the program.
Richard Santalesafounding attorney, The [email protected] Group
"Going through the process, we actually had to document all of our responses to all the security controls within the FedRAMP baseline," said Vehemente, noting the demands of the rigorous FedRAMP documentation process. "It definitely strengthened our security posture to where we had to make sure we were dotting our i's and crossing our t's."
FedRAMP's security controls are based on guidance from the stringent National Institute of Standards and Technology Special Publication 800-53 Revision 3, which has been used throughout the federal government for years. FedRAMP 2.0 -- the update to the cloud program that was finalized only days after the initial June deadline had passed -- toughens the requirements laid out by making corresponding changes to align with revision 4 of NIST SP 800-53, released in April 2013.
The FedRAMP program ratchets up the standard of security expected of cloud providers to the point that even government entities, like the Department of Defense, that maintain the strictest security requirements can now utilize cloud services. Department of Defense CIO Teri Takai, who serves on the FedRAMP JAB, has signaled in recent interviews that FedRAMP is helping shape how cloud providers implement security controls to the point that the government has had to offer a branding guide for FedRAMP-certified providers. As part of its general guidelines, it states: "The FedRAMP name and marks may never be used in any manner that would imply government endorsement of a company, its products, or its services."
FedRAMP is great, if you can use it
The FedRAMP accreditation raises the bar for cloud security standards, but only certain organizations -- read: U.S. government agencies -- are actually able to take advantage of the security benefits of the government's program right now, said David Escalante, director of computer security and policy at Boston College.
Escalante said that he would be interested in moving his hosted services to cloud environments that have undergone the FedRAMP authorization process but current FedRAMP-certified providers haven't subjected all of their services to the accreditation process. IBM offers numerous cloud services, for example, but only its infrastructure as a service SmartCloud for Government is currently FedRAMP-certified.
While some CSPs may use FedRAMP as a security selling point for customers beyond the federal government, such assertions are akin to an auto repair shop that claims to have a certified mechanic on hand, according to Escalante: The certified mechanic does him no good if an uncertified mechanic is actually the one handling the repairs. "[W]ith a provider that is FedRAMP-certified, I wouldn't be convinced that I was buying FedRAMP just because I was buying their service," he said.
"I do think a provider getting a FedRAMP ATO speaks to its commitment to security and compliance," said Stu Fleagle, vice president of government solutions for managed hosting and cloud provider Carpathia, which is currently undergoing the U.S. government's authorization process in collaboration with VMware for an enterprise hybrid vCloud service.
Carpathia works with state, local and higher education groups -- which often follow the direction of the federal government -- and they have yet to show an appetite for FedRAMP-authorized services, according to Fleagle. However, software as a service providers with clients that serve federal agencies are likely to face pressure to offer FedRAMP-compliant environments, he said.
Ramping up contract negotiations
Richard Santalesa, founding attorney with the [email protected] Group, in Fairfield, Connecticut, said there are still ways that private organizations can take advantage of FedRAMP standards. He advises clients to push for the inclusion of the same security controls in contract negotiations with cloud providers, using the FedRAMP Standard Contract Language as guidance.
Successful negotiations can depend on the size of the cloud customer -- a Fortune 500 company purchasing millions in services is more likely to get all of the desired controls. Cloud providers will become less resistant to such requests as FedRAMP environments become more widespread, according to Santalesa.
What's Coming in FedRAMP 2.0
- Based on NIST SP 800-53 Rev 4
- April 22, 2014: Transition plan released
- June 5, 2014: FedRAMP deadline to meet initial requirements (based on NIST SP 800-53 Rev 3)
- June 6, 2014: FedRAMP Rev-4 documents and template updates released
- 325: The number of security controls included in the NIST 800-53 Rev 4 baseline (Rev 3 had 298 controls)
- Rev 4 requirements: CSPs in the in-process and continuous-monitoring stages have to update to new baseline during annual assessment; those in the initial stages will use new Rev 4 templates
Source: FedRAMP Program, Office of Citizen Services and Innovative Technologies
"In some cases, we were able to get basically the same functionality, not necessarily the FedRAMP stamp, but essentially the same parameters," he said. "And in one successful case, a client was basically able to utilize the same FedRAMP contracting language because a federal agency had just utilized [the cloud service provider]."
As to whether FedRAMP accreditation can become a de facto security standard across the cloud industry, Santalesa cautioned that it is still early days for the federal program. Several of the law firm's clients within the critical infrastructure sector have already taken an interest in FedRAMP-certified cloud services due to the overlapping guidelines in the NIST SP 800-53 and the NIST cybersecurity framework, which was released in February.
Higher education has made attempts at creating a universal standard similar to FedRAMP among the academic community to avoid redundant cloud security assessments. Such efforts have failed, according to Boston College's Escalante, because the institutions either couldn't coalesce around a single standard -- like those from the Cloud Security Alliance -- or the standards weren't open and required some sort of licensure agreement.
For now, the SSAE 16 SOC 2 Type II report is the most thorough assessment of a cloud provider's security, Escalante said, assuming it covers all five domains (security, confidentiality, privacy, availability and processing integrity). "FedRAMP is a fine thing, and if we could get people to use it that's great," said Escalante. "We've sort of backed off on the whole trying to push the battle forward of what the standard should be, whether it is FedRAMP or something else."