FedRAMP shows promise one month after launch

July 20, 2012

Despite fighting resistance to overarching cultural changes, the first month of the Federal Risk and Authorization Management Program (FedRAMP), designed to assess and standardize cloud security among federal providers, has largely gone according to plan, with just a few hitches. After launching on June 6, the steps toward full accreditation of government cloud computing providers has officially begun.

Director of the General Services Administration's (GSA) cloud computing program, Katie Lewin, told Federal Computer Week (FCW) that the certification process is underway, with 30 service providers requesting to be vetted for their security measures. Ten third-party organizations have been accredited to carry out the assessments.

Under FedRAMP, any new providers coming into the fold must comply with regulations from the outset. Any existing programs have two years to get in line with the initiative.

Cultural barriers
With such an overarching process, small holdups were inevitable. Perhaps the largest barrier - attempting to move agency culture in step with the program - has taken a lot of effort, but is closer. Simply getting various agencies to agree on a uniform set of controls is enough of a challenge, a familiar struggle in government that Lewin described as a "long process."

Getting beyond that point proved even tougher.

"We're continuing to address the challenge of the dreaded phrase, 'change management,'" Lewin told FCW. "Nobody likes that phrase, but the fact is, that's what this is. This is not reinvention … it's just trying to move things into a standard process that can be applicable across agencies."

Moving forward
Adjusting to a new management program has proved to be difficult, but the holdup over a general move to cloud services seems to be winding down. On top of the massive cloud policy recently released by the Department of Defense, smaller agencies are beginning to plan a full-throttle migration in the near future as well.

According to Government Computer News, the Environmental Protection Agency plans to move much of its computing to the cloud in the next three years. After shifting 20 percent over to cloud environments by the end of 2012, the EPA plans to move an additional 30 percent in each of the next two years. By 2015, the agency aims to have 80 percent computing capabilities operating out of the cloud by 2015.

-McAfee Cloud Security