Cloud

What happens after the FedRAMP deadline?

FedRAMP logo -- GSA image

Cloud service providers are supposed to meet the government's baseline cloud security standards by June 5. But it's not entirely clear what will happen if they don't.

CSPs that fail to achieve Federal Risk and Authorization Management Program (FedRAMP) compliance by that date face the uncomfortable possibility of getting the agency or department they contract with in trouble with oversight bodies, according to a spokesperson for the Office of Management and Budget, which will play an oversight role in ensuring FedRAMP compliance.

However, it's not as if the cloud services will be halted on the spot.

"OMB will work with agencies through normal oversight processes and channels to measure and analyze agency efforts with regards to this provision," the spokesperson said.

That means attention from inspectors general and potentially the Government Accountability Office, which already has a busy year ahead in federal IT. Such reports are likely to be critical not only of the CSPs but also of the agencies themselves, particularly CIOs.

"We expect an onslaught of companies approaching us to leverage us for FedRAMP compliance, and no CIO wants to be in those oversight reports," one source from a FedRAMP-compliant CSP told FCW. "Some companies are going to hope the deadline gets pushed back, but they're going to have to spend money to protect their revenue."

However, because achieving compliance requires a significant investment in time and money, the source said some companies may opt to take a wait-and-see approach. If the repercussions aren't there after the deadline, some might gamble and continue to delay.

Thus far, 10 companies have earned FedRAMP compliance for 13 solutions through either an agency authority to operate or approval from the FedRAMP Joint Authorization Board. Another group of CSPs are somewhere in what is typically a four-to-six month long FedRAMP pipeline.

The FedRAMP policy memorandum states, "[a]ll currently implemented cloud services or those services currently in the acquisition process" must meet the FedRAMP security authorization requirements, which currently consist of 298 security controls based on National Institute of Standards and Technology guidelines.

The OMB spokesperson said those standards are not set in stone and will continue to "evolve and be updated over time," much like cloud technology itself.

In fact, the FedRAMP policy memo directs the FedRAMP Joint Authorization Board to "define and regularly update the FedRAMP security authorization requirements in accordance with the Federal Information Security Management Act of 2002 (FISMA) and DHS guidance."

In summer 2013, the JAB began undertaking the update process to FedRAMP's security controls based on NIST's Special Publication 800-53 Revision 4, Security and privacy Controls for Federal Information Systems and Organizations.

The updated standards are on pace to be completed before fiscal 2014 ends.

"This is a reflection that cybersecurity is a dynamic, rather than static, field," the OMB spokesperson said. "Additionally, as the cloud computing industry matures and the government's adoption of cloud computing increases, FedRAMP will gain additional knowledge and lessons learned which will inform the FedRAMP Security Controls baseline."

About the Author

Frank Konkel is a former staff writer for FCW.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Mon, Feb 3, 2014

What happens next you ask? Wait for the Inspector General reports.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group