secure cloud

Is FedRAMP working? It better.

Is FedRAMP, the government's standardized approach to cloud security, working?

All cloud services and products in use by the federal government and in active acquisition must be FedRAMP-compliant by June 2014.   As vendors work their way through the assessment process with the deadline a mere seven months away, the question of whether or not the program is working is being raised by some observers in government and industry.

“Is it working? It is going to have to work,” said Sarah Mosley, network and infrastructure security branch chief of the Homeland Security Department’s Office of Cyber Security and Communications. FedRAMP is currently the only standardization program to address the federal government’s cloud security accreditation and authorization requirements, Mosely said Nov. 6 during a panel on consuming cloud computing at FedScoop’s Red Hat Government Symposium in Washington, D.C. 

The program will continue to mature, she said, noting that large companies such as Amazon Web Services and Microsoft, both which have received the FedRAMP stamp-of-approval, recognize that this is the way the government is going to pursue security accreditation for cloud services and products.

IBM can now be added to that list. IBM's SmartCloud for Government platform is the most recent cloud environment to receive a provisional authority to operate from the FedRAMP Joint Authorization Board, making the company a more attractive cloud services provider for potential federal customers, according to FCW

With the addition of IBM, nine companies and one government agency – the Agriculture Department’s National Information Technology Center – have gone through the rigorous accreditation process and been granted either a provisional or an agency authority to operate under FedRAMP.

The real measure of FedRAMP success is not how many vendors get through the assessment program, but how many agencies are really using the packages once the cloud service providers are accredited, said David Blankenhorn, chief cloud strategist for DLT Solutions and also a member of the Red Hat cloud panel.

Blankenhorn said that FedRAMP is working on a high level. Most of the core cloud service providers are new to the federal public sector, so they must learn to speak a completely different language, he said, which accounts for why there are not more cloud providers receiving the FedRAMP authority to operate. Commercial providers must adhere to more than 290 security controls, document their security processes and then go through an audit, which is a massive undertaking, Blankenhorn noted.

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

Reader Comments

Thu, Jan 23, 2014

Maria, from CIO memo: "10 For all currently implemented cloud services or those services currently in the acquisition process prior to FedRAMP being declared operational, security authorizations must meet the FedRAMP security authorization requirement within 2 years of FedRAMP being declared operational." Also here: http://cloud.cio.gov/fedramp/agency

Wed, Jan 22, 2014 Maria Stanley

Which policy mandates the FedRAMP compliance by June 2014? I only know about the Dec 2011 Fed CIO FedRAMP memo which does not specify this deadline. Thanks!

Tue, Jan 21, 2014

So basically the original poster is stating that everyone should throw security out the window for innovation/development? FedRAMP isn't killing innovation or making it only for big companies. It is actually better for a small company, because they can go through FedRAMP, become certified, and use that for all of there Federal contracts, without having to go through individual accreditations.

Fri, Nov 29, 2013

The first company to be FedRAMP authorized was a small company. Many large companies are at a disadvantage due to the politics within their own organizations. Having worked at FedRAMP previously, I would says that small companies can get FedRAMP authorized if they are willing to make the commitment.

Fri, Nov 22, 2013

FedRamp is in response to some of the cyber security threats that agencies have dealt with for years. However, Fedramp security vulnerabilities are the following: transparency of information regarding the health of the controls, insider threat, opsec, and supply chain. Principal Risk is also a looming issue. The company could get so big it decides to avoid regulation and its going off-shore. Those missions housed in those systems are now in physical risk from not only nation-states but also small organized groups. Companies gaming security regulations will result in issues not being recognized or dealt with until the problem collapses of its own weight. (See current banking crisis.) People will learn not to trust one more institution.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above