Federal Chief Information Officer Steven VanRoekel. (Steven VanRoekel via Flickr)
Federal Chief Information Officer Steven VanRoekel announced Thursday the launch of a governmentwide program that will quickly ensure that commercial cloud computing products and services meet federal security needs.
The program is called the Federal Risk and Authorization Management Program (Fedramp), which VanRoekel called a "monumental first step" in addressing security concerns around cloud computing.
Security concerns have been a major barrier to governmentwide adoption of cloud computing. For some agencies, the cost of moving to the cloud, including certifying that vendors meet federal security standards, is another deterrent.
"One of the promises and the benefits of Fedramp is that we think it will save about 30 to 40 percent of governmentwide costs associated with assessing, authorizing, procuring and continuously monitoring these cloud solutions," VanRoekel said during a call with reporters. The government spends "hundreds of millions of dollars a year securing information technology systems, and much of that work is duplicative, inconsistent and time-consuming."
Fedramp is a joint effort among various groups and agencies, including the Office of Management and Budget, General Services Administration, Department of Homeland Security and National Institute of Standards and Technology, and has been under development for two years.
VanRoekel expects Fedramp will be ready for use by June.
Dave McClure, associate administrator GSA's Office of Citizen Services and Innovative Technologies, said that "regardless of whether an agency formally puts something through the Fedramp process … all agencies are expected to use the Fedramp baseline controls" to determine if cloud products are secure.
The administration will also be releasing guidance to industry on how to get products certified under Fedramp. The process can be initiated by an agency or a vendor.
VanRoekel also said:
• Agencies have saved nearly $1 billion in the past year through in-depth top-level reviews of troubled IT projects known as TechStat sessions. Savings were achieved by changing the scope or governance of the projects as well as terminations in some cases.
• Agencies have transitioned 40 IT services to the cloud and have eliminated 50 legacy systems.