Federal CIOs say agencies and government contractors must become completely familiar with FedRAMP security controls and how they relate to each agency prior to the cloud computing service program’s launch this summer.
Richard Spires, CIO of the Department of Homeland Security, was one of several CIOs who spoke about FedRAMP at a trade group breakfast Friday. He told the packed breakfast meeting that contractors and agencies alike have to remember that FedRAMP is “not just an optional thing we can elect to do,” it’s mandatory.
He advised contractors who already are providing cloud services to an agency to work with that agency on gearing up for the FedRAMP controls because those who do will “pretty much go to the head of the line.”
Word of mouth will spread it. It’s like having a favorite mechanic who is certified to fix your car. You don’t really know it’s fixed until you get it back.” – David DeVries
FedRAMP, the Federal Risk and Authorization Management Program, is a government-wide initiative that will give agencies a standardized approach to the approval process for Web-based cloud computing services. The initial operating launch of the system is expected in June.
Spires and the others on the panel suggested that the streamlined FedRAMP process will save money in the long run as well as the short run. He said small savings will come from standardizing security controls. Larger savings, he suggested, will come from increased competition as agencies and private companies have a standardized set of rules to work with for cloud computing services.
Casey Coleman, chief information officer for the General Services Administration, advised contractors, especially those who may be new to the federal market, to educate themselves on what security controls will be required under the FedRAMP guidelines.
“This is the minimum that’s going to be required and in some cases, it might go beyond that,” Coleman said during the panel discussion sponsored by the Association for Federal Information Resources Management. “This is really what the entry into this market is going to look like,” she said. “The education process and familiarization process, especially for those who may be less familiar with the compliance framework of the federal government, is very important. And it will speed up the process if new entrants come in with that understanding in hand.”
The idea behind FedRAMP, according to the panel experts, is to implement a “do once, use many times” approach. David DeVries, deputy CIO for information management, integration and technology at the Department of Defense, said it’s a welcome concept. DeVries explained that every time an “authorization to operate” requisition comes into his office, the paperwork pile is 6 inches thick. The idea behind FedRAMP, he said, is to standardize 4 inches of that 6, and get many agencies to use the same bundle of reference material.
“Two-thirds of it is going to come from a common source,” he said. “I don’t have to pay someone to reproduce it.”
After the discussion, DeVries acknowledged that getting agencies as diverse and complicated as DoD to accept a standard security assessment is not an easy task. But he said that as people get used to the standards, it will take hold.
“Word of mouth will spread it,” he said. “It’s like having a favorite mechanic who is certified to fix your car. You don’t really know it’s fixed until you get it back.”
FedRAMP security framework is based on the security controls in the Federal Information Security Management Act. FedRAMP is the result of collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DoD, NSA, OMB, the Federal CIO Council and its working groups, as well as private industry. The program is part of a coordinated government-wide effort to simplify the approval process for Web-based cloud computing services.
DoD’s DeVries said in his career he has spent a lot of time in Europe moving between countries. In the past, he said, it was difficult to go from nation to nation because each country required a separate set of documentation and it wasn’t always the same information. Now, with the European Union, that movement has become easier and more standardized and streamlined.
“It’s kind of like that going to cloud services,” he said. “I have to trust that when my data I am putting into the cloud is secure, I can get into it and I know who is getting into it. It’s all about information sharing. Cloud services are going to break down those barriers.”