Calling it a “monumental first step in addressing security in cloud computing,” Federal CIO Steven VanRoekel announced the official launch of the long-awaited Federal Risk Authorization Management Program (FedRAMP) today.

FedRAMP provides a standardized “do once, use often approach” framework for cloud security; one VanRoekel said will save money and reduce staff time needed to conduct security assessments, thus allowing the government to better purchase and leverage cloud technologies.

The program calls for agencies to hire FedRAMP-approved, third party assessment organizations–still to be announced–to perform independent security assessments on IT services utilizing cloud computing systems.

The assessments will be submitted to a FedRAMP Joint Authorization Board (JAB) which will review the security assessment package based on a prioritized approach and may grant a provisional authorization. DHS, GSA and DOD make up the JAB.

The point of the program is to allow the security approval for a cloud computing service developed for one agency to be used by other federal agencies, dramatically reducing the need for agencies to submit separate and often redundant security assessments for federal security approval.

One of the one of promises and benefits of FedRAMP is that we think this will save about 30 to 40 percent of governmentwide costs associated with assessing, authorizing, procuring and continuously monitoring these cloud solutions.”– Steven VanRoekel

VanRoekel made clear that agencies will be required to use FedRAMP. He followed the announcement by issuing a policy memo– Security Authorization of Information Systems in Cloud Computing Environments–to CIOs spelling out how agencies are required to use FedRAMP for cloud computing solutions.

The memo:

  • Establishes federal policy for the protection of federal information in cloud services;
  • Describes the key components of FedRAMP and its operational capabilities;
  • Defines Executive department and agency responsibilities in developing, implementing, operating, and maintaining FedRAMP; and
  • Defines the requirements for Executive departments and agencies using FedRAMP in the acquisition of cloud services.

The memo also gives the CIO Council and FedRAMP PMO 180 days to develop the baseline controls, concept of operations and governance procedures to make FedRAMP operational.

VanRoekel was joined at the White House announcement by GSA Associate Administrator David McClure, Department of Homeland Security CIO Richard Spires, and NIST Director for the Information Technology Laboratory Charles Romine who discussed various aspects of how FedRAMP will be organized and implemented.

FedRAMP Focus – Security and Savings

VanRoekel announced that agencies have migrated 40 services to the cloud over the last year and have identified 79 more to migrate to the cloud by June 2012.

In addition to saving money and getting operational efficiencies, more than 50 legacy systems have been eliminated because of cloud migration. “We are introducing new levels of security, reliability and in many cases new functionality into these government agencies like collaboration and virtual meetings,” VanRoekel explained.

“We will also see lots of ancillary benefits to cloud efforts such as telework, saving on conferences and collaborating and connecting with people through cloud based mechanisms.”

Cloud computing has become an integral part of government DNA said VanRoekel. While praising current cloud efforts, VanRoekel acknowledged that security is a barrier to cloud computing growth. “We are seeing the need to make it easier to acquire cloud services in the federal government and do it as securely as it can be.”

FedRAMP addresses those concerns. Under development for the last two years, FedRAMP is the result of close collaboration between cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups as well as private industry, NGOs and academia.

“Federal Agencies adopting the cloud is inevitable. The only question is if it will be done in a secure or insecure fashion,” said Jennifer Kerber, vice president of Federal Homeland Security Policy for trade group TechAmerica. “The FedRAMP program could be the game-changer in this equation. As such, it should be appropriately funded.”

“FedRAMP introduces a policy approach to developing secure trusted relationships between agencies and cloud security providers,” explained VanRoekel.

“It creates a governmentwide process for the security of cloud computing that reflects consensus between key agencies and stakeholders and has been extensively vetted through academia and the industry.”

Noting that today is just a first step, VanRoekel promised that FedRAMP is seeking feedback from both government and the private sector and is looking to evolve and take the FedRAMP process forward.

Finally, FedRAMP will save cash.

VanRoekel said the government spends hundreds of millions of dollars a year securing IT systems, much of that is duplicative, inconsistent and time consuming.

“One of the one of promises and benefits of FedRAMP is that we think this will save about 30 to 40 percent of governmentwide costs associated with assessing, authorizing, procuring and continuously monitoring these cloud solutions.”

He said it establishes a standardized approach to security assessment, authorization and continuous monitoring and uses the “do once use many time framework” that will save cost, time, money and staff associated with doing this work. A uniform way of doing risk management and utilizes a baseline of security controls.

Today’s announcement kicks off a number of activities that will make it operational in the next year.