Cloud Computing and Software-as-a-Service

Late in 2010, the federal government issued draft plans for the voluntary Federal Risk and Authorization Management Program, dubbed FedRAMP. FedRAMP is expected to be operational by April, 2011 and would ensure cloud services meet federal cyber-security guidelines—which will likely shelve remaining government concerns about cloud security and ramp up adoption of cloud technologies.

Developed with cross-government and industry support over the past 18 months, the voluntary program would put cloud services through a standardized security accreditation and certification process. Any authorization could subsequently be leveraged by other agencies. Federal CIO Vivek Kundra said in a statement, “By simplifying how agencies procure cloud computing solutions, we are paving the way for more cost-effective and energy-efficient service delivery for the public, while reducing the federal government’s data center footprint.”

The adoption of cloud computing has been promoted by the Obama Administration as a way to help save the government money, and Kundra and other top officials have championed the technology and instituting policies like data center consolidation requirements—which could bring about a shift to the cloud. Federal IT managers, however, have consistently raised security concerns as the biggest barrier to adoption.

The government’s security concerns arise partly because cloud computing is a relatively new paradigm that has to be adapted to the security requirements of regulations like the Federal Information Management Security Act (FISMA, which governs federal cyber-security for most government agencies).  By mapping out the baseline required security controls for cloud systems, FedRAMP creates a consistent set of security outlines for cloud computing.

FedRAMP will seek to eliminate a duplicative, costly process to certify and accredit applications. Each agency used to take apps and services through their own accreditation process, but in the shared-infrastructure environment of the cloud, this process is redundant.

The FedRAMP draft is comprised of three major components: a set of cloud computing security baseline requirements; a process to continuously monitor cloud security; and a description of proposed operational approaches to authorizing and assessing cloud-based systems.

FedRAMP will be used for both private and public cloud services, and possibly for non-cloud computing information technologies and products. For example, two agencies have informed IBM of their intent to sponsor certification of their new Federal Community Cloud services.

Commercial vendors will not be able to directly request FedRAMP authorization, but rather have to rely on the sponsorship of a federal agency that plans to use their cloud services. Guidance on the CIO Council’s website suggests, FedRAMP “may not have the resources to accommodate all requests initially,” and that GSA will focus on systems with potentially larger user bases or cross-government interest, suggesting that the government predicts a large amount of interest.

FedRAMP will remain an inter-agency effort under federal CIO Kundra’s authority and will be managed by GSA. The new Joint Authorization Board, which now includes reps from GSA, the Department of Defense, will authorize the systems that go through the process with the sponsoring agency.

Although FedRAMP provides a base accreditation, most agencies have security requirements that go beyond FISMA and thus may have to do more work on top of the FedRAMP certification to make sure the cloud services they are looking to deploy meet individual agency requirements.

For more information regarding the Federal adoption of cloud technologies, visit Nubifer.com.