GSA hopes the program will eventually be used for all information technology systems, David McClure, associate administrator for GSA's Office of Citizen Services and Innovative Technologies, said today in congressional testimony. (COURTESY OF GSA)
The General Services Administration will launch a new effort this fall intended to help agencies overcome their security concerns with cloud computing.
The effort is called Fedramp — short for the Federal Risk and Authorization Management Program. Under Fedramp, an interagency group will inspect vendors' cloud computing solutions that federal agencies may be interested in using to ensure they meet complex IT security standards. Those standards are set by the National Institute of Standards and Technology.
The group will have members from GSA, the Defense and Homeland Security departments and the agency buying the cloud computing service.
Once certified by the group, called the Joint Authorization Board, vendor cloud computing solutions will not need to go through similar reviews again if other federal agencies opt to use them.
GSA hopes the program will eventually be used for all information technology systems, David McClure, associate administrator for GSA's Office of Citizen Services and Innovative Technologies, said today in congressional testimony.
GSA yesterday closed bidding on vendor cloud computing solutions aimed at moving agencies' IT infrastructure — such as servers, routers and switches — to Web-based storage and computing. McClure said one of those products that GSA selects will go through a Fedramp certification process by October.
Some companies — Google, for instance — already are reviewing with GSA their security measures for cloud-computing solutions so they have a head start when Fedramp is ready to roll, GSA chief information officer Casey Coleman said yesterday in an interview with Federal Times.
The Government Accountability Office told the committee yesterday that federal agencies are wary of moving into the cloud because of security concerns and insufficient guidance from the Obama administration and GSA. The Office of Management and Budget has said it will issue later this year a federal cloud-computing strategy for the next five to 10 years.
Twenty-two of 24 major federal agencies told GAO that they are "concerned" or "very concerned" about information security risks associated with cloud computing. Agencies also said that having cloud-computing providers precertified for federal information security requirements — which is what FedRAMP will do — would make it easier for them to consider adopting cloud computing.
Gregory Wilshusen of GAO said agencies are now taking a "go slow" approach to cloud computing and putting only "low-impact, low-sensitivity" information in the cloud. He acknowledged that there are "very real risks with putting information out in the cloud."