FedRAMP: Governmentwide Approach to Cloud Security

If you’ve read my blog for a while, you know I have I have been a big proponent of cloud computing for some time. Cloud computing enables faster, greener, and more cost effective service to our stakeholders. However, that doesn’t mean there aren’t issues around cloud computing that still need to be resolved.
As the original chair of the Cloud Computing Executive Steering Committee (ESC), a working group under the federal CIO Council, one of the first hurdles to cloud computing we began to address was security. We formed a security working group under the ESC in October of 2009 which is now supported by Katie Lewin and the Federal Cloud Program Management Office team in GSA’s Office of Citizen Services and Innovative Technologies. This group has worked collaboratively with the Federal CIO, NIST, the CIO Council (and working groups such as ISIMC, which is the CIO Council’s committee on information security and identity management), and agency SAISOs to build a common cloud security assessment and accreditation framework. With this work the administration is taking a big step forward in addressing how the Federal government is going to address security concerns for cloud computing systems.


While cloud computing is not new technology, it does present unique security challenges based on the outsourced, multi-tenant nature of the services being provided. This week, This week, Vivek Kundra, the Federal CIO, in conjunction with the CIO Council and other involved partners, announced the release of Proposed Security Assessment and Authorization for U.S. Government Cloud Computing documentation. This document provides the framework and information about a proposed operating model for the Federal Risk and Authorization Management Program (FedRAMP).
FedRAMP is an extremely exciting development for cloud computing. Our aim is that FedRAMP provide the framework for a standard and secure approach to Assessing and Authorizing (A&A) cloud computing services and products. It would allow joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use.
The implications of this are huge. Implementation time for FedRAMP certified vendors would be dramatically cut – instead of its taking months to get a security authorization, it could take weeks. Additionally, the cost in granting an Authority to Operate from an agency perspective could be minimal – potentially only the time it takes to review the FedRAMP authorization.
The FedRAMP documents are a great first start to finding a workable solution to securely using cloud solutions for the Federal Government. The Federal Cloud PMO and collective governmentwide partners are still looking to make the FedRAMP approach as good as possible for government and industry. As such, they are requesting feedback from the community. The documents can be accessed at http://www.FedRAMP.gov, and comments are being accepted through Thursday, December 2, 2010. Additionally, GSA will be hosting a FedRAMP Q&A Briefings Industry Day this Friday, November 19.