Agencies' needs could imperil FedRAMP

The highly touted Federal Risk Authorization Management Program (FedRAMP), and programs like it, depend on maintaining standards. In FedRAMP's case, it's a standardized approach to the security authorization process for cloud products and services.

But not all agencies fit neatly into the standardized approach, some industry observers told a Washington audience on Jan. 19. They have individual compliance needs and modification requirements that can undermine an effort to apply standards.

One of the challenges of a program like FedRAMP “is most government agencies don’t take a bare-minimum, standards approach for most things they do,” said Henry Fleischmann, Hewlett-Packard’s chief technologist for federal cloud solutions.

For example, when agency managers are presented with a "cloud-in the-box," they often want to know if it can work with an older legacy system, in a heterogeneous environment, with all of their different vendors and in many different security zones, Fleischmann said.

“This is the challenge,” he said. “Putting standards out there is good, but agencies will still maintain their own stacks of compliance and the way they do business that might break some of the standardization,” Fleischmann said during a panel discussion at a conference on government cloud security presented by GTSI and Federal Computer Week.

Government managers need to examine the value proposition of the cloud, noted Ira “Gus” Hunt, chief technology officer for the CIA, who moderated the panel.

That value proposition stipulates ruthless standardization and automation so processes can be repeated over and over again. “But if government is coming in and saying, ‘Nice, but modify it especially for me,’ then you lose all of the value proposition,” Hunt said.

The government released security control baselines on Jan. 6 that have been agreed upon by federal agencies and approved by the FedRAMP Joint Authorization Board that address the elements of authorizing cloud products and services. These include factors such as multitenancy, control of an infrastructure and shared resource pooling. FedRAMP security controls align with the National Institute of Standards and Technology Special Publication 800-53, Revision 3, for low- and moderate-impact systems.

“Agencies should dig into the FedRAMP controls” and understand how the controls align with their agency’s security requirements, said Scott Armstrong, who directs Symantec’s public-sector business development, cybersecurity and cloud initiatives.

The FedRAMP Joint Authorization Board can allow agencies to increase or modify security controls when it is necessary, he said. Additionally, cloud providers’ products and services will have to be accredited by a third-party organization, so rather than an agency having to trust another agency’s processes, there will be a trusted third party that should provide guarantees that controls have been met and implemented.

Katie Lewin, director of cloud computing for the General Services Administration’s Office of Citizen Services and Innovative Technologies, picked up on theme of modifying controls and third-party accreditation firms vetting cloud providers in another panel discussion moderated by Chris Dorobek of DorobekInsider.com.

Baseline security controls might be adequate, but agencies can add additional controls that are specific to their security profile.

Agencies will take the baseline security controls as a starting point to issue an authority to operate a cloud provider’s services. “You can add controls to the FedRAMP baseline for your specific instance of whatever kind of [cloud] service you are using,” she said about agencies seeking to vet cloud products and services.

GSA and partner agencies are working on building capacity for controls related to continuous monitoring of cloud services within FedRAMP. “So when we come out with [FedRAMP’s] initial operating capability in June there will be three to nine controls that will [address] automated continuous monitoring. Agencies will have to harness these controls, so cloud providers can report on security instances in a continuous way, Lewin noted.