Cloud

What happens after the FedRAMP deadline?

FedRAMP logo -- GSA image

Cloud service providers are supposed to meet the government's baseline cloud security standards by June 5. But it's not entirely clear what will happen if they don't.

CSPs that fail to achieve Federal Risk and Authorization Management Program (FedRAMP) compliance by that date face the uncomfortable possibility of getting the agency or department they contract with in trouble with oversight bodies, according to a spokesperson for the Office of Management and Budget, which will play an oversight role in ensuring FedRAMP compliance.

However, it's not as if the cloud services will be halted on the spot.

"OMB will work with agencies through normal oversight processes and channels to measure and analyze agency efforts with regards to this provision," the spokesperson said.

That means attention from inspectors general and potentially the Government Accountability Office, which already has a busy year ahead in federal IT. Such reports are likely to be critical not only of the CSPs but also of the agencies themselves, particularly CIOs.

"We expect an onslaught of companies approaching us to leverage us for FedRAMP compliance, and no CIO wants to be in those oversight reports," one source from a FedRAMP-compliant CSP told FCW. "Some companies are going to hope the deadline gets pushed back, but they're going to have to spend money to protect their revenue."

However, because achieving compliance requires a significant investment in time and money, the source said some companies may opt to take a wait-and-see approach. If the repercussions aren't there after the deadline, some might gamble and continue to delay.

Thus far, 10 companies have earned FedRAMP compliance for 13 solutions through either an agency authority to operate or approval from the FedRAMP Joint Authorization Board. Another group of CSPs are somewhere in what is typically a four-to-six month long FedRAMP pipeline.

The FedRAMP policy memorandum states, "[a]ll currently implemented cloud services or those services currently in the acquisition process" must meet the FedRAMP security authorization requirements, which currently consist of 298 security controls based on National Institute of Standards and Technology guidelines.

The OMB spokesperson said those standards are not set in stone and will continue to "evolve and be updated over time," much like cloud technology itself.

In fact, the FedRAMP policy memo directs the FedRAMP Joint Authorization Board to "define and regularly update the FedRAMP security authorization requirements in accordance with the Federal Information Security Management Act of 2002 (FISMA) and DHS guidance."

In summer 2013, the JAB began undertaking the update process to FedRAMP's security controls based on NIST's Special Publication 800-53 Revision 4, Security and privacy Controls for Federal Information Systems and Organizations.

The updated standards are on pace to be completed before fiscal 2014 ends.

"This is a reflection that cybersecurity is a dynamic, rather than static, field," the OMB spokesperson said. "Additionally, as the cloud computing industry matures and the government's adoption of cloud computing increases, FedRAMP will gain additional knowledge and lessons learned which will inform the FedRAMP Security Controls baseline."

About the Author

Frank Konkel is a former staff writer for FCW.

Featured

  • Cybersecurity
    CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019

    Shared services and the future of CISA

    Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

  • Telecom
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA softens line on looming EIS due date

    Think of the September deadline for agencies to award contracts under the General Services Administration's $50-billion telecommunications contract as a "yellow light," said GSA's telecom services director.

  • Defense
    Shutterstock photo id 669226093 By Gorodenkoff

    IC looks to stand up a new enterprise IT program office

    The intelligence community wants to stand up a new program executive office to help develop new IT capabilities.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.