Kate M. GrowleyGordon Griffin

Just before the closing bell for 2012, the federal government gave its first approval for government-wide security authorization to a cloud service provider.  On December 26, the General Services Administration (GSA) certified its first cloud service provider under the Federal Risk and Authorization Management Program, more commonly known as FedRAMP.  The GSA expects last month’s authorization to pave the way for more in early 2013, with some anticipating as many as 10 to 15 authorizations over the course of the year.

In an effort to better implement the government’s “Cloud First” policy, the GSA collaborated with private industry and other executive agencies – including the NIST, DHS, and DOD – to standardize security requirements for federal cloud contractors.  Begun in June 2012, certification under the FedRAMP standards will become mandatory by the same month in 2014.

North Carolina-based Autonomic Resources has been the first cloud service provider to check all of FedRAMP’s boxes, but its journey to complete federal endorsement is not over.  Cloud service providers seeking FedRAMP approval must undergo a four-step application process.  Either a contractor or an agency may initiate a FedRAMP review.  Contractors must then retain a “third party assessor” (3PAO) to perform an independent assessment of whether the contractor’s security systems comply with Federal Information Security Management Act (FISMA) and NIST standards.  With a 3PAO’s security assessment package in hand, the contractor may then apply for provisional authorization from FedRAMP’s Joint Authorization Board (JAB), comprised of the Chief Information Officers (CIOs) from the DOD, DHS, and GSA.  This is the certification that FedRAMP has granted Autonomic Resources, but the key word is “provisional.”  The JAB “authorization to operate” (ATO) is but an initial endorsement of the contractor’s security controls and their acceptable risk.  Specific agencies are to then leverage this threshold approval to streamline their more tailored ATOs.  Although not formally a part of the application process, it is worth noting that, even after agency approval, the contractor must provide FedRAMP with continuous monitoring reports and various updates.

As the former federal CIO stated, the idea behind the FedRAMP process is “approve once, use often.”  This practice seeks to maximize transparency between cloud contractors and the federal agencies, while minimizing duplicative efforts.  The GSA expects the result to be a universal and trustworthy security authorization process that consumes less time and fewer taxpayer dollars.  Current GSA estimates predict that, with the help of the FedRAMP system, agencies will save approximately $200,000 per authorization.  Until the GSA ushers more prospective cloud contractors through the FedRAMP process, however, federal agencies will have to wait for such savings.  In the meantime though, nothing is preventing agencies from relying on FedRAMP guidelines to independently scrutinize the security of their contractors.

For more information about federal cloud computing and acquisitions, see http://www.crowell.com/files/Cloud-Computing-Acquisitions-Cybersecurity.pdf.