Not only has cybersecurity started to take shape legislatively, cloud computing security has started to take shape administratively in a meaningful way.

You won’t find huge surprises in the grandly named Concept of Operations (CONOPS) for the Federal Risk and Authorization Management Program, or FedRAMP. The 47-page document does fill out the plan, long promised by The Office of Management and Budget and the General Services Administration. What might be surprising is how elaborate the procedures and project plan turn out to be.

If the federal government is going to be a leader in the adoption of cloud computing, it better hurry up.
_________________________________________________________
This article originally appeared on FedInsider.com.
_________________________________________________________
Recall that under FedRAMP, cloud computing providers are to have their cybersecurity promises verified and certified once, so that any and all federal customers could contract for service without having to conduct their own, individual certifications and accreditations. The originator of the program, former CIO Vivek Kundra, rightly understood: That would be a prohibitively expensive and bureaucratic cloud-killer.

Given that both the Departments of Defense and Homeland Security participated, along with NIST and GSA, in establishing FedRAMP, its security schema should be sufficient. Maybe not for the National Security Agency, but everyone else. The CONOPS is supposed to move from the CON stage to the OPS stage in June.

If nothing else, the CONOPS document puts all the key words in one place, including:

• JAB, or Joint Authorization Board, the government panel that gives “provisional authority” to a cloud provider. It’s made up of the CIOs from the aforementioned agencies.
• The CONOPS also establishes a subgroup called the JAB Technical Representatives that do the ground level work.
• 3PAO, or third party assessor. These will be outside groups – vendors, academics, non-profits are all eligible – who validate the provider as having the right controls in place such that its “security package” complies with the FedRAMP requirements.

What should concern agencies is not so much the somewhat baroque internal governance and operational norms of the FedRAMP and its program management office, but rather which 3PAO a cloud provider chooses to have itself assessed by, and the eventual list of cloud providers so they, the agency customers, can speed their move to cloud computing.

The machinery won’t start spitting out accredited cloud providers in large numbers until deep into fiscal 2013, with wheels up in fiscal 2014.

The question arises, is FedRAMP holding back cloud adoption with its elaborate, risk-eliminating procedures?

Contrast that with the Defense Business Board, which, in its latest report is urging the Defense Department to get on with more cloud computing as part of a larger set of recommendations for modernizing IT.

The report was widely cited in the media as being all about the job structure of the department’s CIO, Teri Takai. But its main message is found on slide 11: “Continuation of status quo has a negative ROI.” The Board calls a myth the idea that cloud computing is less secure than conventional ones, or that cloud system performance provides a lower performance level for users.

The Board also notes that “establishing [a] clear strategy and ‘concept of operations’ is essential.”

Well, that step is done. Agencies, both DOD and civilian, are in fact moving here and there to cloud implementations for the obvious first-round candidates, principally e-mail and office productivity apps.

The former Air Force CIO, Dale Meyerrose, now with Harris Corp., told me a number of years ago, the way to move in IT is to start small but scale up fast. That would be a good mantra for the federal cloud movement.

Tom Temin is editor in chief of FedInsider.com and co-host of The Federal Drive on WFED AM 1500.