In September 2009, the Obama Administration announced the Federal Cloud Computing Initiative. As the government’s CIO explained, cloud computing “has the potential to greatly reduce waste, increase data center efficiency and utilization rates, and lower operating costs.” The Federal Risk and Authorization Management Program (FedRAMP) addresses the key elements of a cloud computing framework for federal agencies.
Federal use of “shared pool of configurable computing resources” does, however, present special cybersecurity challenges – particularly with regard to continuous monitoring.
As many officials inside and outside government are painfully aware, “security authorizations have become increasingly time-consuming and costly both for the Federal Government and private industry.” Cloud computing offers a path to substantially improving cybersecurity cost-effectiveness, but only if security approvals can be shared by the cloud’s users.
Right now, for an agency to obtain the needed sign-offs to use cloud-based computing is an expensive and redundant process. As GSA explained in testimony before Congress, “one of the most significant obstacles to the adoption of cloud computing is security. … agencies need to have valid certification and accreditation (C&A) process and a signed Authority to Operate (ATO) in place for each cloud-based product they use. While vendors are willing to meet security requirements, they would prefer not to go through the expense and effort of obtaining a C&A and ATO for each use of that product in all the federal departments and agencies.”
In response to the need for practical, cost-effective cloud computing security, GSA led the effort to create the interagency FedRAMP. In basic terms, FedRAMP’s purpose is give cloud service providers a process for obtaining an Authority to Operate (ATO) that can be shared across agencies.
An “authorize once, use many” approach to security authorization is essential if cloud computing is going to achieve needed cost-effectiveness goals. As a senior GSA official explained on the Innovation in the Business of Government blog, FedRAMP “would allow joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use.”
GSA further explained that,
Our aim is that FedRAMP provide the framework for a standard and secure approach to Assessing and Authorizing (A&A) cloud computing services and products. It would allow joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use.
The implications of this are huge. Implementation time for FedRAMP certified vendors would be dramatically cut – instead of its taking months to get a security authorization, it could take weeks. Additionally, the cost in granting an Authority to Operate from an agency perspective could be minimal – potentially only the time it takes to review the FedRAMP authorization.
FedRAMP’s first major accomplishment was the publication for public comment of Proposed Security Assessment and Authorization for U.S. Government Cloud Computing. The document includes a chapter focused on continuous monitoring which explains,
FedRAMP is designed to facilitate a more streamlined approach and methodology to continuous monitoring. Accordingly, service providers must demonstrate their ability to perform routine tasks on a specifically defined scheduled basis to monitor the cyber security posture of the defined IT security boundary. While FedRAMP will not prescribe specific toolsets to perform these functions, FedRAMP does prescribe their minimum capabilities. Furthermore, FedRAMP will prescribe specific reporting criteria that service providers can utilize to maximize their FISMA reporting responsibilities while minimizing the resource strain that is often experienced.
In short, FedRAMP provides the guidance necessary for efficient continuous monitoring in federal cloud computing environment. FedRAMP is a key initiative to help realize major savings and allows agencies to tap into emerging technologies faster.
The conclusion is clear, FedRAMP is essential to the federal government achieving secure, cost-effective cloud computing. The program must continue for major cost savings across agencies and improve compliance based on the NIST Risk Management Framework (RMF).