Agencies' needs could imperil FedRAMP

The highly touted Federal Risk Authorization Management Program (FedRAMP), and programs like it, depend on maintaining standards. In FedRAMP's case, it's a standardized approach to the security authorization process for cloud products and services.

But not all agencies fit neatly into the standardized approach, some industry observers told a Washington audience on Jan. 19. They have individual compliance needs and modification requirements that can undermine an effort to apply standards.

One of the challenges of a program like FedRAMP “is most government agencies don’t take a bare-minimum, standards approach for most things they do,” said Henry Fleischmann, Hewlett-Packard’s chief technologist for federal cloud solutions.

For example, when agency managers are presented with a "cloud-in the-box," they often want to know if it can work with an older legacy system, in a heterogeneous environment, with all of their different vendors and in many different security zones, Fleischmann said.

“This is the challenge,” he said. “Putting standards out there is good, but agencies will still maintain their own stacks of compliance and the way they do business that might break some of the standardization,” Fleischmann said during a panel discussion at a conference on government cloud security presented by GTSI and Federal Computer Week.

Government managers need to examine the value proposition of the cloud, noted Ira “Gus” Hunt, chief technology officer for the CIA, who moderated the panel.

That value proposition stipulates ruthless standardization and automation so processes can be repeated over and over again. “But if government is coming in and saying, ‘Nice, but modify it especially for me,’ then you lose all of the value proposition,” Hunt said.

The government released security control baselines on Jan. 6 that have been agreed upon by federal agencies and approved by the FedRAMP Joint Authorization Board that address the elements of authorizing cloud products and services. These include factors such as multitenancy, control of an infrastructure and shared resource pooling. FedRAMP security controls align with the National Institute of Standards and Technology Special Publication 800-53, Revision 3, for low- and moderate-impact systems.

“Agencies should dig into the FedRAMP controls” and understand how the controls align with their agency’s security requirements, said Scott Armstrong, who directs Symantec’s public-sector business development, cybersecurity and cloud initiatives.

The FedRAMP Joint Authorization Board can allow agencies to increase or modify security controls when it is necessary, he said. Additionally, cloud providers’ products and services will have to be accredited by a third-party organization, so rather than an agency having to trust another agency’s processes, there will be a trusted third party that should provide guarantees that controls have been met and implemented.

Katie Lewin, director of cloud computing for the General Services Administration’s Office of Citizen Services and Innovative Technologies, picked up on theme of modifying controls and third-party accreditation firms vetting cloud providers in another panel discussion moderated by Chris Dorobek of

Baseline security controls might be adequate, but agencies can add additional controls that are specific to their security profile.

Agencies will take the baseline security controls as a starting point to issue an authority to operate a cloud provider’s services. “You can add controls to the FedRAMP baseline for your specific instance of whatever kind of [cloud] service you are using,” she said about agencies seeking to vet cloud products and services.

GSA and partner agencies are working on building capacity for controls related to continuous monitoring of cloud services within FedRAMP. “So when we come out with [FedRAMP’s] initial operating capability in June there will be three to nine controls that will [address] automated continuous monitoring. Agencies will have to harness these controls, so cloud providers can report on security instances in a continuous way, Lewin noted.

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Tue, Jan 24, 2012 jordan

FedRAMP is good, and far better than what we have now. Just because it meets 85% of each groups' needs, it should be supported, not dissed. Rather, to market it better, FedRAMP needs a Plus program. Think of a stamp saying "FedRAMP Approved" and then another "FedRAMP Approved + DoD Approved" or FedRAMP Approved + FDA Approved"

Fri, Jan 20, 2012 Fed Up Fed

This "but I'm Different" approach is the same thing that has killed mega-investments in upgrades to the FAA Air Traffic Control system many times over the past decades. Standardization is touted as the keystone of success and management buys into it. When those standard come to roost at any single facility, the Air Traffic Manager and staff fight tooth and nail to maintain all the custom features they cobbled into the existing system over the years.FedRAMP is likewise doomed to costly failures unless "special case needs" are forbidden.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group