GSA gives FedRAMP structure as launch date draws near

A new Concept of Operations document has given the Federal Risk and Authorization Management Program much-needed structure and strength as it heads toward its launch in June.

FedRAMP is a governmentwide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The approach uses a “do once, use many times” framework that will save on the money, time and staff required to conduct redundant agency security assessments, GSA officials said.

The CONOPs document “puts real meat on the bones of FedRAMP so we can see how it is going to work in practice,” said Peter Gallagher, a managing partner with Unisys Federal Systems.


Related stories:

Could agencies’ individual needs break FedRAMP?

Federal CIO says FedRAMP to be mandatory


The concept of FedRAMP is to get reuse of security documents and approvals to operate. “It is a reuse strategy for security frameworks," Gallagher said. "In that regard we know it is long overdue."

“The fact that it takes incremental advantage of each authority to operate process regardless of the agency is a really innovative and agile way of achieving a reuse strategy for security frameworks,” Gallagher said. He noted that he was concerned that the government would be overwhelmed by the whole process of certifying cloud products and services so agencies could be given the authority to operate, but the document gives detailed direction on how the process will unfold.

“FedRAMP is a broad-reaching requirement that now has structure” that applies across government with both defense and civilian agencies, said Kevin Jackson, general manager of cloud services at NJVC, a services and technology company with a focus on cloud computing.

The only place FedRAMP doesn’t apply is where there is a single system within an agency that is not interacting with other agency systems, or where the systems comply with the Federal Information Security Management Act at the high security level. All systems that are at FISMA low and moderate security have to go through the FedRAMP process, Jackson said.

Some within the Defense Department might think they have their own security controls and frameworks and don’t need FedRAMP, Jackson, said, but that is not the case. DOD is a department, the armed services are agencies. So if an Army system is interacting with the Navy, FedRAMP will apply. Or the Navy might work with the U.S. Coast Guard on drug- or terrorist-related activity. There are two agencies where one in DOD, the other in DHS FedRAMP would apply, Jackson said, noting that most law enforcement information is at FISMA moderate level.

FedRAMP was developed in collaboration with the National Institute of Standards and Technology, GSA, DOD and the Homeland Security Department. Many other government agencies and working groups participated in reviewing and standardizing the controls, policies and procedures.

FedRAMP is still in pre-launch stage. The launch of its initial operational capabilities is slated for June 2012, and the focus will be on infrastructure as a service and e-mail as service, said David McClure, associate administrator with GSA's Office of Citizen Services and Innovative Technologies, during a call with reporters Feb. 8.

Full operational capabilities with manual processes are scheduled for the second quarter of fiscal 2013. At this stage, FedRAMP will incorporate more diverse products and services. By 2014, the government will move to full implementation with on-demand scalability and all federal agencies will be required to use the FedRAMP process for the assessment and authorization of cloud products and services.

The government is taking “a phased and calibrated [approach], designed to learn, adjust and correct as we go, rather than just jump-starting and putting everything through” at once, McClure said. Agencies have a two-year window to conform to FedRAMP, so they aren’t required to do everything now, he said.

There is still some activity occurring in the pre-launch stage leading up to initial operation in June. For instance, the government will publish agency compliance guidance, accredit three third-party assessment organizations that will perform initial and periodic assessment of cloud service providers per FedRAMP requirements, and release the charter for the Joint Authorization Board, which approves agencies’ authority to operate.

FedRAMP CONOPS includes three process areas: security assessment, leveraging of the authority to operate, and ongoing assessment and authorization, otherwise known as continuous monitoring. The security assessment process aligns with security controls and guidance in NIST Special Publication 800-37.

Two new documents that have been added to FedRAMP are the Control Tailoring Workbook and the Control Implementation Summary. The Control Tailoring Workbook is used by the cloud service provider to examine all the security controls of the FedRAMP baseline and determine if other tailoring is needed to provide those controls.

The Control Implementation Summary helps cloud service providers decide which security controls are the responsibility of the agency, which are the responsibility of the CSP, or whether there should be a hybrid or sharing of responsibility for some controls.

FedRAMP also will maintain a repository of standardized security assessment packages that federal agencies can use to make their own risk-based decisions to grant an authority to operate for a cloud solution for their agency. The repository will be key to the “do once, use many times” approach.

Another area the CONOPs document defines is incident response activity, said Unisys’ Gallagher. Continuous monitoring and management of systems are vital, not just the initial approval and submission of accreditation documentation, he added. The defining of incident response establishes a community around core infrastructure that will be used in the cloud.

For instance, e-mail and collaboration software in the cloud are important now. If there is an incident in that environment and it is shared and solved within that community, that is another degree of reuse. This approach provides improved efficiency and reduces the potential of each agency dealing with the incident independently.

Streamlining incident response “builds a community of interest around core cloud applications and all those things are good for security” and the government as well, Gallagher said.


Reader comments

Fri, Feb 17, 2012 Marilyn Hays Durham, NC

"The only place FedRAMP doesn’t apply is where there is a single system within an agency that is not interacting with other agency systems, or where the systems comply with the Federal Information Security Management Act at the high security level. All systems that are at FISMA low and moderate security have to go through the FedRAMP process, Jackson said."

This information is factually incorrect. FedRAMP applies to ALL government cloud systems except those serving a single agency housed within that agency's own data center. The FedRAMP Authorization is, by design, only provisional and constrained to the FedRAMP control set. It simply does not consider the selection of additional controls by a purchasing Agency, such as system High mode for example. The FedRAMP Authorization is not blanket authorization. Each agency buying cloud services must Authorize that system for use. Authorization of ALL controls selected by the Agency's IA cability is still the Agency's duty and responsibility. FedRAMP simply reduces the workload.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above