The Cloud’s Standards Imperative

Cloud Computing
The Cloud’s Standards Imperative

By Barbara DePompa

A general lack of government-wide standards – especially related to establishing common security practices for cloud computing – has hindered broader federal adoption, sources said at the May Cloud Computing Summit in Washington D.C.

Sharing information and trying to standardize anything across the various military branch services is still limited, according to Chip Brodhun, Senior Technologist/Project Director of Emerging Technologies for the U.S. Marine Corps (USMC). “With each military branch in a separate stage of implementation, while there has been greater collaboration and note sharing, there’s not much agreement or standardization yet,” as each unit considers its use case unique, he explained.

The lack of consistent requirements standardization is frustrating for industry suppliers, such as Microsoft, which must satisfy a raft of security requirements for each agency’s cloud deployment. Javier Vasquez, director of Collaboration & Cloud at Microsoft Federal, said the company fully understands there’s no security without accreditation and established trust. “But requirements must be normalized,” he said. “When regulations and controls remain fragmented, it’s difficult to go back to corporate to support each agency’s separate, individual compliance requirements.”

The situation is changing however, with the advent of the NIST-promoted Federal Risk and Authorization Management Program (FedRAMP) to help mitigate risks to public sector cloud adoption. The program has been in the works for months, originated by the Cloud Computing Advisory Council. Federal CIO Vivek Kundra formed the council, co-chaired by Peter Mell, a senior computer scientist at the National Institute of Standards and Technology (NIST).

Mell explained the FedRAMP program’s primary advantages to attendees at the Summit. Industry suppliers will be able to work with one security assessment and authorization body for risk management and no longer will be forced to meet all of the security requirements of many differing agencies, he said.

FedRAMP will provide joint authorizations and continuous security monitoring of shared IT services for federal departments and agencies that enter contracts with outside providers, including cloud computing solutions. A joint authorization board will review the certification and accreditation work for a cloud service. Once approved (which could happen by the end of this month), the service would be available for use government-wide.

FedRAMP Benefits

Benefits of this government-wide risk management program include:

Agreed upon security standards for all federal organizations
* Security authorization and continuous monitoring
* Agencies participate by leveraging the results for covered products

Industry suppliers gain:
* Government-wide authorization and security compliance cost reduction

Agencies gain:
* Cost savings through reduced duplication of efforts
* Rapid acquisition
* Improved security assurance

Mell said FedRAMP conforms with existing Office of Management and Budget and NIST IT security guidance, including Special Publication 800-37 Revision 3, which is aimed at applying risk management to federal IT systems. FedRAMP is expected to promote development of common security requirements for specific systems, provide ongoing risk assessments, encourage better system integration and dramatically reduce duplication and associated costs.

Suppliers and industry observers applauded NIST’s efforts via FedRAMP. “We fully support NIST’s FedRAMP,” said Microsoft’s Vasquez. “This program definitely has momentum, and the right people in charge to influence reciprocity and accreditation.”

In a blog following the May cloud summit, Jon Oltsik, a senior principal analyst for the Enterprise Strategy Group, Milford, Mass., said, “If FedRAMP works, cloud service providers can deliver to a single set of standards. This will encourage innovation and bolster competition.”

On the agency side, FedRAMP could spur a wave of cloud computing consumption over the next few years. But what if it doesn’t work? “If FedRAMP fails, the federal government becomes difficult to service, so most cloud service providers [will likely] treat it as a market niche,” Oltsik explained. “If this happens, the federal government could lose its cloud computing leadership and momentum very, very quickly.”

How FedRAMP Is Structured

FedRAMP consists of three entities:

Security Requirement Authorities to create government-wide security requirements.
* A Joint Authorization Board to perform authorizations that can be leveraged by agencies.
* The FedRAMP Office manages the program and conducts technical analysis of authorized solutions.