March 27, 2011 By Dan Lohrmann
What is FedRAMP? How does it help with cloud-computing environments? Can we use it here in our state? I expect these questions will be asked across America over the next few years in the halls of state and local governments.
The federal government is well down the path to defining security controls required in cloud computing. State and local government officials need to take notice and leverage this excellent federal work. If not, the many benefits of cloud computing will be overcome by the tough challenges in this new environment.
The Federal Risk and Authorization Program (FedRAMP) is a “risk management program for large outsourced and multi-agency information systems used by the U.S. government.” FedRAMP was created to support government cloud computing plans.
According to Techtarget.com:
“FedRAMP is intended to facilitate the adoption of cloud computing services amongst federal agencies by evaluating those services offered by vendors on behalf of the agencies. The evaluations will be based on a unified risk management process that includes security requirements agreed upon by the federal departments and agencies. Because the services are vetted by FedRAMP, each agency does not need to conduct its own risk management program. This reduces duplication of effort, the time involved in acquiring services and costs.”
In my view, this detailed work is exactly the kind of effort that governments require across all 50 states. While there will no doubt be a need for some local tweaking, the same processes and procedures used for the FedRAMP program can benefit state and local government around the world - and not just in the USA.
At a recent symposium on high-performance cloud computing, Dave McClure, a General Services Administration expert on FedRAMP, told the audience that five new tiger teams with representatives from across government are working to improve FedRAMP based on feedback submitted from the public. These teams are working on (at least) seven improvements to the program.
According to Government Computer News (GCN), the improvements will address these seven issues:
1) Too many controls and controls for different risk levels.
2) More guidance on third-party assessors’ independence.
3) Continuous monitoring raises data concerns.
4) What is the role of the Joint Authorization Board?
5) What will be the role of government security operation centers?
6) How does the government ensure that FedRAMP is complaint with the Trusted Internet Connection?
7) What are the different security controls for the different cloud delivery models – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS)?
I urge readers to learn more about FedRAMP – especially if you are implementing cloud computing initiatives and exploring opportunities. Efforts are underway by the National Association of State Chief Information Officers (NASCIO) to work together with GSA and others in the federal government to leverage contracts, standards and more in the cloud.
The issues that Dave McClure recently discussed are the same issues that are bound to cause state and local governments to stumble in the cloud in the near-term. Security, privacy and legal concerns regarding cloud computing must be (and can be) addressed holistically. Let’s apply that famous 80-20 rule and get onboard this ship to the greatest extent possible. We will save time and money if we do.
How? What are next steps? It starts with education – learn about and become engaged with current activities.
Now what did FedRAMP stand for again?
Building effective virtual government requires new ideas, innovative thinking and hard work. From federal stimulus projects to enterprise architectures to cloud computing, Dan Lohrmann will discuss what's hot and what's not in the world of technology infrastructure.