March 27, 2011 By Dan Lohrmann
What is FedRAMP? How does it help with cloud-computing environments? Can we use it here in our state? I expect these questions will be asked across America over the next few years in the halls of state and local governments.
The federal government is well down the path to defining security controls required in cloud computing. State and local government officials need to take notice and leverage this excellent federal work. If not, the many benefits of cloud computing will be overcome by the tough challenges in this new environment.
The Federal Risk and Authorization Program (FedRAMP) is a “risk management program for large outsourced and multi-agency information systems used by the U.S. government.” FedRAMP was created to support government cloud computing plans.
According to Techtarget.com:
“FedRAMP is intended to facilitate the adoption of cloud computing services amongst federal agencies by evaluating those services offered by vendors on behalf of the agencies. The evaluations will be based on a unified risk management process that includes security requirements agreed upon by the federal departments and agencies. Because the services are vetted by FedRAMP, each agency does not need to conduct its own risk management program. This reduces duplication of effort, the time involved in acquiring services and costs.”
In my view, this detailed work is exactly the kind of effort that governments require across all 50 states. While there will no doubt be a need for some local tweaking, the same processes and procedures used for the FedRAMP program can benefit state and local government around the world - and not just in the USA.
At a recent symposium on high-performance cloud computing, Dave McClure, a General Services Administration expert on FedRAMP, told the audience that five new tiger teams with representatives from across government are working to improve FedRAMP based on feedback submitted from the public. These teams are working on (at least) seven improvements to the program.
According to Government Computer News (GCN), the improvements will address these seven issues:
1) Too many controls and controls for different risk levels.
2) More guidance on third-party assessors’ independence.
3) Continuous monitoring raises data concerns.
4) What is the role of the Joint Authorization Board?
5) What will be the role of government security operation centers?
6) How does the government ensure that FedRAMP is complaint with the Trusted Internet Connection?
7) What are the different security controls for the different cloud delivery models – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS)?
I urge readers to learn more about FedRAMP – especially if you are implementing cloud computing initiatives and exploring opportunities. Efforts are underway by the National Association of State Chief Information Officers (NASCIO) to work together with GSA and others in the federal government to leverage contracts, standards and more in the cloud.
The issues that Dave McClure recently discussed are the same issues that are bound to cause state and local governments to stumble in the cloud in the near-term. Security, privacy and legal concerns regarding cloud computing must be (and can be) addressed holistically. Let’s apply that famous 80-20 rule and get onboard this ship to the greatest extent possible. We will save time and money if we do.
How? What are next steps? It starts with education – learn about and become engaged with current activities.
Now what did FedRAMP stand for again?
March 20, 2011 By Dan Lohrmann
Microsoft released the new Internet Explorer (IE) 9 browser this past week, and government enterprises across the world now have another important product decision to make.
According to USA Today, “IE still holds a 54.3% market share, followed by Firefox (17.8%), Chrome (9%) and Safari (5%), according to Net Applications. It remains to be seen whether IE9 — which only works on Windows 7 and Windows Vista PCs; Windows XP users must stick with IE8 — can stem IE’s steady market share decline…. IE9’s distinguishing capabilities is the inclusion of a ‘Do Not Track’ privacy mechanism that’s similar to a privacy feature introduced by Chrome.”
Many governments are still in the process of upgrading off of older operating systems and non-supported IE (and other vendor) browsers. Windows XP support ended last year, and support for IE6 also ended in 2010. Still, many state and local governments are using these products.
Meanwhile, the latest Firefox, Google Chrome and Apple Safari browsers also offer new functionality and will continue to push the innovation envelope and ensure that new features are available to users going forward. This ongoing competition will not be ending anytime soon.
There are several browser comparison charts like this one from Top Ten Reviews and this chart from Microsoft which are available to compare various features. As you review your options, remember to take into account vendor bias on website content.
In Michigan government, we have teams that test various browsers with different applications to ensure that our users can reliably upgrade. This process is time-consuming and rather difficult for some – but needed to ensure that mission-critical applications still work after browser upgrades.
What I am doing at home? I will be downloading IE9 on my family computers and trying out the new browser for myself. This is becoming a regular pattern in our home.
Any thoughts on the new IE9 release? What is your government doing?
March 12, 2011 By Dan Lohrmann
As Japan strives to recovers from the devastating earthquake and tsunami, global governments are sending aid in a variety of forms. From emergency relief personnel, food, water and equipment to technical assistance in search & rescue operations and reestablishing critical infrastructure, the needs are great. But what are governments and individuals doing now? How are we helping both individually and corporately?
Actions Already Taken
"(First Lady) Michelle (Obama) and I send our deepest condolences to the people of Japan, particularly those who have lost loved ones in the earthquake and tsunamis.
The United States stands ready to help the Japanese people in this time of great trial. The friendship and alliance between our two nations is unshakable."
The President offered US military relief assistance to the Japanese people. After ensuring that their own equipment and personnel were safe, the Navy is sending in teams to assist in the relief efforts.
Emergency relief organizations are mobilizing support teams now, and any efforts to travel to the affected areas should be through globally recognized disaster relief teams. Many state and local governments assist in these teams through US and international mutual aid agreements.
However, the effects of this natural disaster in Japan were also felt world-wide yesterday. Tsunami warnings and advisories were issued in Hawaii and up and down the West Coast. Local officials were sending out alerts and reacting to the latest news and conditions. Rescue efforts occurred in many US States. However, California and Oregon sustained most of the tsunami damage on US soil.
Here’s a quote from one local official:
“While the impact of this incident in Japan is catastrophic, the impact here is minimal,” said Schaefer in the message. “None-the-less this serves as an excellent reminder to be prepared for the large scale earthquake that may some day strike California.”
How to Give
If you want to make personal donations, Global Post made a plea to give money, not stuff. Here’s why:
“… If you’re considering doing your part, that’s great. But, experts say, whatever you do, don’t donate anything but money. Under no circumstances should you mail care packages, toys, food or clothes. Don’t even think about sending drugs. The response to prior disasters shows that regardless of your intentions, you will only be making matters worse.
That’s what happened in the aftermath of the December 2004 tsunami. The disaster was followed by an unprecedented outpouring of global generosity. This dramatically facilitated the grisly chore of cleaning up the tens of thousands of bodies left under the tropical sun, and it funded a reconstruction effort that, while far from perfect, provided roofs over the heads of many.
But aid workers joked that the real tsunami was followed by another tsunami — of misguided goodwill…”
But what is the best way to give? Government Computer Newsrecommends the Red Cross and a few other traditional aid organizations:
“… The Red Cross has a donation line set up via text message that enables $10 donations to the organization by texting REDCROSS to 90999. The Red Cross has teamed up with mobile donation provider mGive to provide this service. UNICEF, Doctors Without Borders and AmeriCares also collect donations for relief efforts….”
Technological Role in Responding to Disasters:
New tools are being used in the recovery effort. Google’s People Finder as Twitter (and local variants) are helping to locate loved ones in Japan. The Web is now helping in a variety new ways during emergencies. Here are a few examples:
“Global web giant Google's person finder service had notched up over 45,000 records of people leaving messages seeking information on friends and family, or providing information about people in the disaster zone, by 1130 GMT.
The site was updating, in English and Japanese, by the hundred every few minutes.
A random search for the common Japanese surname "Sato" brought up hundreds of results, many of them for people living in Sendai -- the city that faced the brunt of the thunderous body of rolling water…”
But Watch Out for Scams
The Internet is full of pictures, videos and stories related to the 8.9-magnitude quake, which unleashed a 10-meter tsunami that washed away homes and tossed cars and boats. However, global disasters often lead to global scams and email phishing attempts taking people to fraudulent websites. Numerous scams have already been reported, and Security Week warned of a massive increase in new scams in coming weeks.
These scams are expected to be delivered via social networks such as Facebook and other popular websites, emails and other channels. Don’t trust web links in unsolicited emails asking you to give. It is best to type in the URL (Web address) yourself and go to a reputable organization.
Prepare by Training
This tragic situation underlines the need for federal, state and local emergency response teams to be prepared. Events on the other side of the world are the same events that affect us in the USA. Governments must always be prepared to respond, regardless of financial condition or other priorities. Together, we are making a positive difference, and technology and communication support is an important element in our emergency response.
Update on March 13
The LA Times is reporting that: Aftershocks, infrastructure damage hamper relief efforts. The scale of the devastation is immense, and numerous countries and relief organizations are sending in support. Our thoughts and prayers go out to those impacted by this disaster.
Building effective virtual government requires new ideas, innovative thinking and hard work. From federal stimulus projects to enterprise architectures to cloud computing, Dan Lohrmann will discuss what's hot and what's not in the world of technology infrastructure.