Since June, more than 50 cloud vendors have applied for security reviews under the Federal Risk and Authorization Management Program (FedRAMP), said Dave McClure of the General Services Administration. (File photo)
Industry participation is higher than expected in a new program that assesses the security of companies’ cloud-computing products and services.
Since June, more than 50 cloud vendors have applied for security reviews under the Federal Risk and Authorization Management Program (FedRAMP), said Dave McClure of the General Services Administration.
FedRAMP sets security standards for federal cloud services. Companies have submitted computing models for private clouds, where services are provided exclusively to an agency or department; public clouds, where services are available to both government and non-government clients and housed in a data center off-site; and government community clouds, where services are provided to multiple government clients.
McClure, who spoke at an industry event in Washington last week, said he expects to exceed the administration’s goal to complete reviews for three cloud vendors by January. Those vendors will receive a provisional authority to operate (ATO) from a joint board of chief information officers from the Homeland Security and Defense departments and GSA. The provisional ATO proves a vendor’s cloud services not only meet federal baseline standards but are secure enough for use by DHS, DOD and GSA.
The provisional ATOs are expected to speed adoption of cloud services throughout government because other agencies can accept the FedRAMP reviews and assess only their unique security requirements, as opposed to starting from scratch.
Documentation produced during the FedRAMP reviews will be stored on OMB’s MAX website for agencies to view and reuse, and McClure expects additional guidance for agencies on how that process will work.
But progress hasn’t come without challenges and lessons learned.
One challenge is that many vendors don’t understand federal security requirements, McClure said.
For example, vendors must prove that their systems operators, who have access to systems that provide government services, use two-factor authentication. This requires users to provide two forms of evidence, such as a password and identification card, to verify who they are before accessing the systems.
Company employees with access to federal data in the cloud must also undergo background investigations, a lengthy process, McClure said. To streamline reviews, vendors meet with the FedRAMP program office early on to ensure they have the proper documentation to prove they meet FedRAMP standards.