How do agencies extend their governance, risk and compliance programs to take cloud computing initiatives into account?

That’s a question that panelists grappled with during a discussion of cloud-computing security issues at the annual FOSE conference in Washington, D.C., on Tuesday.

“In looking at moving data and operations onto the cloud environment, the question that comes up is, how do I control it if it’s no longer under my direct responsibility?” said Ben Tomhave, principal consultant with LockPath, a company that develops governance, risk management and compliance software. “How do we achieve things like continuous monitoring objectives and implement proper risk management programs? These (questions) represent a fairly heady challenge.”

As agencies move to a cloud-based environment, they are going to have to start performing actual risk management and do risk analysis, Tomhave said. “This is something that current practices are not overly aligned to meet,” he said. “So this is going to be a key challenge, especially for the public sector going forward,” he said.

Panelists agreed that a major step toward answering such challenges and assuring cloud computing security across the government is the Federal Risk and Authorization Management Program (FedRAMP),, a governmentwide initiative that will give agencies with a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

FedRAMP uses a “do once, use many times” framework that will save cost, time and staff required to conduct redundant agency security assessments. The first version of FedRAMP will be rolled out in December, though its “initial operating capability launch” will take place around June 10, said Katie Lewin, director of federal cloud computing programs in the GSA’s Office of Citizen Services and Innovative Technologies. GSA is a partner agency in the development of FedRAMP.

FedRAMP security framework is based on the security controls in the Federal Information Security Management Act.

“There are no new controls [in FedRAMP] but it’s the interpretation of about 300 controls as to how they should be applied to cloud products and services,” Lewin said. Agencies will have to use the controls listed under FedRAMP for all cloud-based services, she added.
Agencies also must get better at communicating to cloud providers what they want in cloud security controls, Lewin said.

“There’s a lot more interpretation and discussion that needs to happen between the cloud service provider and the government,” Lewin said. “One lesson that we’ve learned that we are going to apply to FedRAMP is you can’t just give a private sector company a list of standards to comply with and say ‘Call us when you’re done,’ because there’s lots of communication that needs to happen about what the government agency is actually looking for and how these controls really are going to be interpreted.”

Many agencies are taking an easier-and less risky-path to cloud computing by moving less critical applications to the cloud first.

In 2010, the Office of Management and Budget mandated under its “cloud first” policy that agencies identify three “must move” services for cloud migration and move all three to the cloud by the end of this fiscal year.

“What we’re seeing is that lots of agencies are moving their public-facing Web sites first,” Lewin. “The reason for that is they’re easily updatable, it’s not secure data and it makes it more easily accessible to more people. That’s happened a lot.”

Agencies are looking moving to cloud-based email and data storage.

“They have data, they need to keep it but perhaps they don’t have to have it immediately accessible,” she said.

Tomhave agreed.

“You start the data that represents the least risk of compromise and then work backwords from there,” he said.

What’s ahead for cloud security?

Security experts at the National Institute of Standards and Technology, also a partner in the FedRAMP program, look to the near future “when we can start developing performance metrics for the cloud,” said Robert Bohn, cloud computing program manager at NIST. “That would be great for the government and everyone else once we can start measuring this utility like we measure our watts or our water. That effort is being pushed.”