Cloud Computing – Here to Stay?
After two years in development, the OMB officially released the Federal Risk and Authorization Management Program (FedRAMP). This program standardizes security requirements for federal agencies procuring cloud computing solutions and for contractors that sell these solutions. Agency CIOs must adhere to FedRAMP beginning June 2012.
All the details of FedRAMP have not yet been released. The security controls for contractors have been released and are based off of existing National Institute of Standards and Technology (NIST) security controls for federal IT systems with 70 cloud-specific requirements. We also know that FedRAMP will use third-party assessment organizations (3PAOs) to independently assess FedRAMP compliance. Furthermore, a Joint Authorization Board (DHS, DoD, and GSA) will define and update the security authorization requirements on an ongoing basis and approve accreditation criteria for the 3PAOs. More information on these elements will soon be released.
FedRAMP is a step in the right direction to embrace new technologies, while remaining focused on security and standards; however, our initial observations include:
- Many contractors have invested in cloud solutions offerings (both organic development and via acquisition). FedRAMP reaffirms that the viability of the cloud opportunity and ROI potential of these investments. By design, the program should accelerate the controlled cloud adoption.
- FedRAMP attempts to eliminate duplicative costs, an estimated savings up to 30-40% in securing systems. Additionally, baseline security standards and pre-vetted solutions providers should streamline procurement. While we do not dispute the potential procurement and operating cost savings, FedRAMP may create significant bureaucracy with each new organization – 3PAOs, the Joint Authorization Board, and the FedRAMP PMO. Who will absorb these costs and will these cannibalize expected cost savings?
- The FedRAMP memo stated that it “introduces an innovative policy approach to develop trusted relationships” between agencies and providers. It seems unclear how introducing a third-party agency as a middleman will foster a more trusted relationship. It also brings to question where the accountability will reside with more stakeholders? Does the government intend to shift responsibility to the contractor and what will be the penalties for contractors that misrepresent themselves to 3PAOs?
As more details about FedRAMP surface and as the requirements are implemented starting in mid-2012, we should see answers to our aforementioned questions; however, per the Federal CIO, FedRAMP is an “evolving and iterative program”.