Fed CIO: Minimum Security Standards Set for Cloud Providers

Tuesday, December 20, 2011

Bill Gerneglia


Article by Sara Jameson

The White House and the Federal CIO have finally released fully defined security requirements for federal cloud computing providers. The latest security initiative has been called FedRamp.

With FedRAMP, federal agencies will be able to evaluate and monitor cloud providers to ensure their services meet minimum security standards set be the CIO office.

The federal government has launched an assessment and monitoring program under which cloud providers have to commit to a certain level of security before being allowed to work with the government.

The Federal Risk and Authorization Management Program (FedRAMP) establishes a baseline of security requirements for government contractors interested in providing the federal government with cloud services, the Office of Management and Budget said recently.

Over two years in making, the finalized FedRAMP is a "first step" toward securing cloud environments, according to Federal CIO Steven VanRoekel.

FedRAMP in Use

The Federal Risk and Authorization Management Program was established to provide a standard approach to Assessing and Authorizing cloud computing services and products. FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use.

Joint authorization of cloud providers results in a common security risk model that can be leveraged across the Federal Government. The use of this common security risk model provides a consistent baseline for Cloud based technologies. This common baseline ensures that the benefits of cloud-based technologies are effectively integrated across the various cloud computing solutions currently proposed within the government.

The risk model will also enable the government to "approve once, and use often" by ensuring multiple agencies gain the benefit and insight of the FedRAMP's Authorization and access to service provider’s authorization packages.

The federal government spends hundreds of millions of dollars securing its IT systems, and much of the tasks are "duplicative, inconsistent and time consuming," according to VanRoekel.

FedRAMP's "do once, use many times" framework will save money, time and staff required to conduct security assessments, he said. VanRoekel estimated there will be a 30 percent to 40 percent cost savings for the government while securing cloud services under FedRAMP.

"FedRAMP enables agencies to deploy cloud technologies, while realizing efficiencies of scale to substantially reduce costs and transition time," he wrote on the White House blog.

Beginning June 2012, all federal agencies must use FedRAMP when evaluating and purchasing "commercial and non-commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies," according to VanRoekel.

The requirement covers systems that are provided or managed by other departments or agencies, contractors, or other sources, VanRoekel added. Because vendors will already be certified under FedRAMP, agencies will be able to move through the procurement process more easily and cheaply.

Cross-posted from myITview.com via CIOZone

Possibly Related Articles:
Cloud Security
Service Provider
Compliance Cloud Security Government Managed Services Guidelines FedRAMP Federal
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.