Fed’s Security Frameworks Offer Cloud Opportunities, Challenges
By Marie Lingblom
The Federal Risk and Authorization Management Program (FedRAMP) was launched earlier this month to provide a government-wide program that delivers a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
Since cloud computing utilizes networks and the Internet to deliver virtual computing resources to users, it enables organizations to use hardware capacity and software licenses as needed, without paying for idle resources. One of the biggest barriers to government adoption of cloud computing is, of course, concerns about security effective enough for this still emerging technology and its related services.
IBM, Microsoft and Google are among the top competitors for federal cloud computing contracts. IBM recently added to its expanding variety of cloud offerings with the IBM SmartCloud Social Collaboration for Government. The new offerings are Software as a Service (SaaS) options for e-mail and collaboration solutions designed to meet federal government guidelines and requirements. The goal is to move from premise-based hardware and software solutions to a service that allows for a usage-based model without up-front investments.
FedRAMP’s goal is to breathe life into President Obama’s commitment to a cloud-first strategy that calls for agencies to consider cloud computing options before others, for similar reasons. Federal agencies have already eliminated 50 legacy systems, moved 40 services to the cloud, and targeted 79 more to be migrated by June 2012, according to Steven VanRoekel, Federal Chief Information Officer, in a FedRAMP memo launching the program.
The federal government spends nearly $80 billion annually on technology that supports everything from defending U.S. borders to protecting the environment. FedRAMP’s “do once, use many times” cloud services approach is being targeted to save approximately 30 percent to 40 percent of IT governments costs.
Some industry watchers, however, have welcomed the news with a bit of caution. In particular, they point to potential complexity, red tape and bottlenecking that could be caused by a new requirement for all cloud offerings to be accredited by an independent third-party organization, and then certified under FedRAMP.
The General Services Administration, Department of Defense and Homeland Security are charged with overseeing the FedRAMP authorization board—and responsible for requirements and approval of accreditation for the third-party organizations that will assess cloud providers for FedRAMP compliance. GSA, meanwhile, will also create service-level agreements and templates as well as organizing and sharing assessment, accreditation and authorization information across federal agencies, according to the FedRAMP memo released earlier this month.
More specifics from the CIO Council are expected within the next month, and more detailed documentation is expected within 60 days. VanRoekel’s memo indicates the program is targeted at achieving operational status in about 180 days.