Blogs

10
The recent bounty of spring weather reminds all of us that summer is fast approaching -- and with it comes the June deadline for federal agencies to complete the transition of three technology services to the cloud. Up to this point, most agencies have focused on less complicated cloud implementations like email and citizen-facing websites. These have been prime candidates for the cloud, partly because they are straightforward transitions, but also because they aren't as freighted with security issues as other more critical services.  Soon, however, the security fears of cloud computing will be assuaged with the introduction of FedRAMP - the Federal Risk Authorization and Management Program (FedRAMP). 

The idea is simple: certify the security of cloud providers just once and then make them available to many agencies.  If Amazon or Google's cloud computing services are approved by FedRAMP, the plan goes, they shouldn't need to be certified again separately by the FDA and FAA.  FedRAMP is meant to reduce duplication, increase efficiency, and get systems up and running faster - which is one of the cloud's biggest assets to begin with.  It should also increase the government's knowledge-base around cloud computing security. 

Recently, the FedRAMP Program Management Office (PMO) released its Concept of Operations (CONOPS), which details the step-by-step process of security accreditation.  At the center of the plan are the third-party assessment organizations (3PAOs) that will be responsible for assessing the security of cloud vendors.  These 3PAOs can be other companies, research institutions, or schools with creditable security knowledge.  Because 3PAOs are so critical to the process, it's important that the PMO not give up its authority to ensure the quality of those assessments. 

With multiple 3PAOs assessing multiple cloud vendors, consistency will be key.  The best method to achieve this will be for the PMO to set best practices and standards for how the assessors approve cloud vendors.  Currently, 3PAOs must meet ISO/IEC standards for independence and managerial competence, as well as FISMA competence.  Following accreditation, FedRAMP will monitor feedback from cloud providers, as well as agencies on 3PAO performance.  The PMO should stay attuned to this feedback and codify it into a program of best-practices that can be used to continually monitor and assess 3PAOs.  By systematically maintaining the quality of the 3PAOs, the PMO will foster trust in FedRAMP itself, which is the ultimate key to securing agency buy-in and program success.

For more information on the 3PAO accreditation process – and future plans to turn it over to a privatized board, see: http://www.gsa.gov/graphics/staffoffices/3PAO_Program_Description.docx