As GSA ramps up FedRAMP, security remains a concern in efforts to move government IT to the cloud, officials told a House subcommittee.
The government lacks a complete framework of security requirements for the cloud computing model, government officials told a House panel. That's making security concerns difficult to overcome and slowing adoption of cloud computing.
.The General Services Administration is ramping up FedRAMP to provide a governmentwide provisional authority for cloud service providers to operate, but the security worries provide a significant obstacle.
“The adoption of cloud computing has the potential to provide benefits to federal agencies; however, it can also create numerous information security risks,” said Gregory Wilshusen, director of information security issues at the Government Accountability Office. “Continued efforts will be needed to ensure that cloud computing is implemented securely in the federal government.”
Those efforts already are under way at GSA, the Office of Management and Budget, the Federal CIO Council and the National Institute of Standards and Technology, Wilshusen said Oct. 6 in a hearing before the House Homeland Security Committee's Cybersecurity, Infrastructure Protection and Security Subcommittee. But policies and processes are not yet complete, and this could slow the adoption of cloud computing.
The federal Cloud First policy calls for agencies to consider cloud computing options before making new IT investments, and agencies are exploring and beginning the move to the cloud. Richard Spires, CIO of the Homeland Security Department, said DHS is adopting both private and public cloud platforms, using commercial service providers for low-impact applications, and hosting medium- and high-impact applications and services in its two data centers.
Not all cloud platforms will be adequately protected, Spires said. “Some cloud environments have capabilities necessary to defend against and provide recovery from these threats, such as advanced monitoring capabilities and cleared information security professionals, while others may not, because the increased costs to provide these security capabilities may price their offering outside of the competitive marketplace.”
Hosting applications on its own private cloud will allow DHS to use its enterprise security programs to protect them, Spires said.
Public cloud offerings will have to be evaluated to ensure they meet requirements under the Federal Information Security Management Act. To ease the burden both for industry and agencies, and to improve results, GSA is providing a governmentwide program for assessing security and providing an interim authorization to operate that each agency can use.
The Federal Risk Authorization and Management Program, or FedRAMP, “establishes a common set of baseline security assessment and continuous monitoring requirements for FISMA low- and moderate-impact risk levels using NIST standards that must be adhered to by all cloud systems,” said David McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies.
Third-party assessors for commercial cloud providers will be accredited by GSA, which can provide a provisional authorization to operate. Agencies contracting with the service provider can use the provisional authority, tailoring a final certification if necessary to agency-specific needs. Service providers must agree to near-real-time reporting of continuous monitoring data feeds to DHS and agency security operations centers.
FedRAMP will be launched in phases. It is expected to be formally established by OMB memo with initial rollout this fall. It will have limited scope under the Initial Operational Capabilities and will cover a small number of cloud service providers. Full operations are expected to begin next spring. Sustaining operations are expected to begin late in 2012 and to scale to satisfy demand.
Concerns about security remain, however, particularly in the public cloud environment. Wilshusen cited a number of worries, including:
- The possibility that the security controls put in place could be ineffective or inadequate, creating vulnerabilities.
- The potential loss of governance and physical control over agency data when the provider is responsible for certain security controls and practices.
- Potentially inadequate background security investigations for service-provider employees.
- The possibility that a vendor could go out of business or stop providing services.
- Vulnerabilities created by having multiple tenants in a virtual environment.
The issues are not being ignored, but no comprehensive policy for addressing them is yet in place, and full benefits of cloud adoption cannot be realized until the framework is completed, Wilshusen said.