Cloud security: A closer look at FedRAMP

Security concerns typically provide the chief source of rain for the cloud parade, as worries about data leakage and other cyber maladies have caused federal IT managers to think twice about cloud computing. Indeed, more than 50 percent of respondents to an 1105 Government Information Group survey declared that cloud solutions lack sufficient security.

The government is looking for ways to assuage that anxiety and spark cloud adoption because federal data center consolidation efforts — not to mention the Obama administration’s cloud-first policy — rely on the technology. Therefore, the Federal Risk and Authorization Management Program (FedRAMP) brings together officials from the General Services Administration, Department of Homeland Security and Defense Department, among others, to provide a standardized approach for determining the security of cloud-based services.

FedRAMP launched in June, and as of mid-September, more than 50 commercial vendors and agencies had submitted initiation requests to FedRAMP’s program management office, said Kathy Conrad (pictured), principal deputy associate administrator at GSA’s Office of Citizen Services and Innovative Technologies. Those requests mark the first step in the FedRAMP security assessment process.

FedRAMP now runs in what the government calls an initial operational capability mode. It is slated for full operational capability in the second quarter of fiscal 2013, based on feedback from the earlier stage.

Why it matters

FedRAMP’s mission is to establish a uniform process for assessing the security of cloud products and services and thereby boost federal agencies’ confidence in the technology.

Paul Nguyen, vice president of cyber solutions at Knowledge Consulting Group, said consistency is one of the program’s key benefits. FedRAMP establishes a standard for conducting risk assessments and rigorously certifies the third-party assessment organizations (3PAOs) that will carry out the evaluations based on that standard. At press time, KCG was one of 15 assessment organizations that were working with FedRAMP.

The idea is to “eliminate the subjectivity of different assessors to make it an objective exercise,” Nguyen added.

In another expected plus, FedRAMP offers a repeatable security assessment process that could save time and money. Instead of having a cloud service provider (CSP) undergo an assessment for each potential agency customer, FedRAMP lets a provider go through one evaluation that can be used multiple times. FedRAMP officials plan to compile a library of security-tested cloud services that agencies can access.

“The main idea here is that once you have FedRAMP certification, in theory and hopefully in practice, another agency will accept FedRAMP and you don’t have to go through the certification process each time with a different agency,” said Steve Vinsik, vice president of global security solutions at Unisys.

Unisys plans to have its cloud services certified through FedRAMP but has not yet initiated the process, he added.

A streamlined security approach would presumably help agencies adopt cloud services more quickly, but it could bring another benefit in the form of cost savings. Although prices vary, security audits can cost $40,000 to $100,000, said Prenston Gale, director of information security at Dynamics Research Corp., another FedRAMP 3PAO.

The fundamentals

FedRAMP doesn’t represent a huge departure from other security assessments, at least in terms of its foundation. FedRAMP’s baseline requirements follow the security controls listed in the National Institute of Standards and Technology’s Special Publication 800-53, “Recommended Security Controls for Federal Information Systems and Organizations,” which also backs Federal Information Security Management Act (FISMA) reviews. Furthermore, FedRAMP’s security assessment process maps to NIST SP 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems.”

“The controls in place and the process are very similar to what we would already need to do from a FISMA certification perspective,” Vinsik said.

However, FedRAMP officials have enhanced some of the NIST controls to make them more pertinent to the cloud environment. Consequently, FedRAMP provides “a centralized consensus for what controls should look like and what cloud enhancements are necessary,” Gale said.

To test itself against those controls, a CSP submits a request to the FedRAMP office to get the review process started. The office prioritizes the requests, with infrastructure-as-a-service providers taking precedence.

When a provider’s turn comes up, the office assigns an information systems security officer (ISSO) as the point person for guidance on deploying security controls and following the assessment steps. After deploying the necessary controls, the CSP documents those measures in a system security plan that goes to the ISSO for review and, eventually, to the Joint Authorization Board for approval. The board consists of the CIOs from GSA, DHS and DOD.

The next step involves an independent assessment of the CSP’s controls. That’s where the 3PAOs come in. The assessment organizations examine the provider’s controls and match them to the FedRAMP guidelines. Vinsik said the 3PAOs help providers uncover gaps that would prevent them from obtaining FedRAMP certification.

The board finalizes the security assessment and grants a provisional authorization if it deems the CSP’s security stance to be sufficient. The documentation supporting those authorizations will be housed in a FedRAMP repository for other agencies to use. An agency planning to buy a cloud service must make the final decision on whether to grant a provider an authorization to operate, but the agency can save considerable time by reusing the FedRAMP assessment.

Gale said only a “small delta” might exist between the security controls documented in a FedRAMP assessment and any additional security measures an agency might require a CSP to pursue.

The FedRAMP assessment process can take as long as nine months. But the actual time frame will vary depending on the CSP’s technical architecture. GSA’s Conrad said the typical assessment and authorization of a traditional, non-cloud federal IT system at the moderate level takes five to nine months, depending on the size of the system and its complexity.

FedRAMP officials expect to grant the first provisional authorization in December, she added.

“Following in the crawl-walk-run philosophy of this new program, we also anticipate processing times to improve as the program matures,” Conrad said. “As CSPs and agencies gain more familiarity and experience with the baseline controls, assessment timelines will also improve.”

The hurdles

The nature of the cloud creates some obstacles to the process of assessing and testing services. Specifically, the different cloud varieties — IaaS, platform as a service and software as a service (SaaS) — complicate the security assessment task, said Maria Horton, CEO of EmeSec.

“There are some nuances and differences in the types of testing you have to conduct based on the type of deployment model,” she said.

EmeSec, a cybersecurity and information assurance company that provides cloud security consulting, is pursuing 3PAO accreditation.

Another complication is that one vendor’s cloud service might be hosted in another vendor’s cloud. A SaaS application, for example, could reside on another cloud service provider’s IaaS offering. Nguyen said the nested aspect of cloud services means that assessments might need to be coordinated across multiple vendors.

Those dependencies also call for an understanding of the contractual relationships — and service-level agreements — among the parties, he added.

Furthermore, agencies, CSPs and 3PAOs will need to deal with some degree of ambiguity in the FedRAMP guidance. For instance, the program requires agencies to work with their CSPs to assess their security posture on an ongoing basis. But the specifics are still being determined.

Gale said the FedRAMP program has yet to issue much in the way of clear guidance on which controls should be monitored and with what frequency. He said those standards will likely emerge after the first CSP evaluations. At that point, FedRAMP officials will have a better idea of how continuous monitoring should work in different cloud environments. For example, Gale said agencies that use publicly accessible cloud services might want to ensure that input validation and integrity checks are monitored more frequently to protect themselves against cyberattacks.

Working out the details of cloud security assessment and testing is something of a learn-as-you-go exercise. Accordingly, FedRAMP officials maintain open communications.

“The FedRAMP ISSOs are working very closely with the CSPs to share information and discuss emerging issues,” Conrad said. “At a minimum, they hold a weekly status call.”

Nguyen said FedRAMP recently launched a special interest group for 3PAOs. The forum brings together assessment organizations and FedRAMP officials.

“They have been very transparent and very open,” Nguyen said. “This is a learning process. We’re used to the old FISMA requirements, but this is a little bit different.”

Next steps: What to expect as FedRAMP evolves

FedRAMP was consciously devised as a work in progress, with feedback from early evaluations informing the later stages of the program. Here are a few areas that might see greater definition over time.

• Continuous monitoring. For each type of cloud environment, officials need to determine what controls require ongoing security checks and how frequently a cloud service provider should report results. FedRAMP’s Concept of Operations document calls for the Department of Homeland Security to “develop continuous monitoring standards for ongoing cybersecurity.”
• Cloud brokers. Some vendors work with cloud brokers, which let customers connect to different cloud service providers. FedRAMP officials will need to explore the boundaries between brokers and service providers and determine how to certify brokers.
• Scalable resources. Clouds are dynamically scalable, which allows IT managers to summon additional computing resources as needed. The question for FedRAMP and its industry partners is how to properly assess the security profile in such an ever-changing environment.