Research Report: The Virtual Public Sector

2014: A turning point for FedRAMP

This is the year that the Federal Risk and Authorization Management Program (FedRAMP) initiative comes into its own.

Beginning June 5, agencies cannot use cloud services that have not been certified under FedRAMP, to meet both low and moderate cybersecurity requirements as spelled out in the Federal Information Security Management Act (FISMA).

Provisional authorizations to operate (ATOs) are issued by the Joint Authorization Board, the primary governance and decision-making body for the FedRAMP program, and which is comprised of the CIOs of the DOD, the Department of Homeland Security, and the General Services Administration. Agencies also can use the FedRAMP guidelines to issue their own ATOs.

As of the end of March, 11 cloud services had been given provisional ATOs by the JAB, while four had been given agency ATOs. Among the services granted agency ATOs is the Infrastructure-as-a-Service (IaaS) offering from the Department of Agriculture’s National Information Technology Center.

Another 13 cloud services were still being evaluated for provisional authorization, with three in line for agency authorization.

FedRAMP definitely is seen as a key to improving cloud security. It provides government agencies with a baseline of secure functionality, with an approved set of offerings that meet at least both low and moderate FISMA requirements. Given the inconsistent way in which FISMA has been applied, FedRAMP should bring a welcome level of standardization across government.

However, agencies need to recognize that FedRAMP is not the final word on security. It addresses services that are common to most agencies, such as e-mail and backup storage. But it won’t cater to more complex cloud offerings, such as those involving end-user storage or custom software, said John Pescatore, director of emerging security trends at the SANS Institute. “That’s where it’s going to be a lot tougher for this one size fits all approach to work.”

GSA, which runs the FedRAMP program, has made it a priority to educate agencies about the best use of cloud and the role of FedRAMP. Among the issues to consider are how to craft service level agreements with cloud providers and how to assess the risk involved in moving applications and data to the cloud.

Agencies should expect FedRAMP to evolve. It is based on both FISMA security requirements and the security controls included in NIST special publication 800-53, and those will change over time.

FedRAMP also likely will be tweaked to address agency and industry concerns that arise as people get more experience working with it. For example, agency officials have expressed interest in a standard set of FedRAMP-related service level agreements, which would reduce many of the headaches agency face in negotiating these agreements with individual providers. Maria Roat, FedRAMP director at the GSA, said FedRAMP officials are looking into this.

What isn’t likely to emerge anytime soon is a set of FedRAMP requirements for high security needs. There seems to be relatively low demand for that, Roat said.