June 6, 2012
After over more than a year and a half of announcements and preparations, the Federal Risk Authorization and Management Program (FedRAMP) finally opened its doors on June 6, jump-starting the process of certifying the cloud computing security of providers looking to earn government contracts.
Agencies are more prepared for a move to the cloud than they were when the plan came into existence 19 months ago. Cloud providers are also in a better position to offer the appropriate services as they have gained, while not perfect, a greater understanding of how to secure cloud computing. The hope, federal CIO Steven VanRoekel told Government Computer News, is that tools such as FedRAMP will accelerate adoption of cloud services in the public sector.
The program will vet potential cloud providers for use in government agencies, the next step toward widespread implementation of President Barack Obama's cloud-first initiative. Run by the General Services Administration, companies will be forced to meet more than 150 controls concerning cloud security to gain a seal of certification, although once-prominent issues such as real-time threat reporting have been relaxed due to logistical hurdles and bureaucratic red tape.
A group of approved third-party assessors will begin conducting a series of reviews to see that the companies are up to par with the the government-set standards. Passing the initial assessment - the first of three - will grant a provider a provisional authority to operate, according to Federal News Radio.
The manager for GSA's cloud computing program, Katie Lewin, told FNR that at least three cloud services will be through the approval process by December, and on the road to full operations by the early spring of 2013, with government agencies continuing to move to secure cloud computing services in the interim.
Small business issues
A GSA plan to offer first crack at certification to companies already holding government contracts drew the ire of the Software and Information Industry Association (SIIA) for the plan's apparent break from a 2010 proposal to reform the federal IT system that looked to support adoption of innovative technologies from smaller companies. By the GSA prioritizing companies that already have contracts - largely bigger providers - the SIIA feels that small businesses are being denied a fair shake.
SIIA released its critique on the eve of the FedRAMP launch, also pointing to a fact that many agencies would likely have additional requirements on top of the government-required certification. By forcing the customization of services, the association is concerned that smaller companies won't be able to cope with any additional demands.
-McAfee Cloud Security