The US government believes that they can save billions of dollars per year by moving critical applications to the cloud. A recent CIO Magazine article on the current $10 billion US Department of Interior (DOI) initiative to move key applications, including SAP, to the cloud illustrates the potential windfall for the government and its cloud service providers (CSPs). So if you are not yet familiar with the term FedRAMP… you will be soon, as the CSP gold rush it’s driving may rival that of California in 1849.
But with gold comes trouble. A recent dinner conversation with my wife illustrates the “elephant in the room” that relates to FedRAMP. When I was talking about this issue my daughter politely interrupted me and asked “Ummm … if we put all of our government data in one place won’t it be easy for someone to hack in and get it?” My daughters’ perspective is both accurate and shared by many security practitioners. Consolidating critical government data into a handful of third-party operated data centers is essentially painting a bull’s-eye on those data centers. That being said, if you look at the Federal Information Security Management Act’s score card, you could definitely argue that, at best, the agencies have done a marginal job of securing their own data.
So if you were to put in place a well-conceived, robust program to ensure that the CSPs who are storing/processing critical government data were “secure,” perhaps the net would be better than our current situation. The Federal Risk and Authorization Management Program (FedRAMP) is designed to be that program.
FedRAMP extends and formalizes the long-standing NIST/FISMA Security Certification & Accreditation Process (NIST SP800-37) to the CSP. The program (which is run by the GSA) requires potential CSPs to work in a very collaborative manner with the GSA and a certified Third Party Assessor Organization (3PAO) to demonstrate—extensively—that it complies with the government’s security requirements, as specified in NIST 800-53. The long-standing FIPS/NIST/FISMA guidance that FedRAMP is based on was driven by the Federal Information Security Management Act of 2002. It’s good stuff and held in the same high regard that ISO-27000 guidance is.
I recently had the opportunity to spend a day with a good chunk of the GSA team that is responsible for FedRAMP. I left with a very positive impression of the program. They understand the risk to the government and their role in mitigating that risk. Specifically, they understand that while you can outsource information processing, you can’t outsource risk. So the program is not only robust in its initial certification efforts, but extends into the ongoing operations, change management, security monitoring, and incident response of the CSP. In a sense, a GSA Information System Security Officer (ISSO) becomes an “ongoing partner” in the CSP’s Information Security Management System.
With only a handful of CSPs “Authorized to Operate” (ATO) (they don’t refer to it as certified), and very few agency applications outsourced to them, it’s too early to gauge the success of FedRAMP. I’m hoping that Vivek Kundra, former federal CIO of the United States, was right when he said, “Cloud computing is often far more secure than traditional computing, because companies like Google and Amazon can attract and retain cyber-security personnel of a higher quality than many governmental agencies.”
That’s because I know that Joe Weinman, author of Cloudonomics: The Business Value of Cloud Computing was right when he said, “Ultimately, the cloud is the latest example of Schumpeterian creative destruction: creating wealth for those who exploit it; and leading to the demise of those that don’t.”