John Keese’s North Carolina-based firm, Autonomic Resources, is the only cloud provider to have completed a rigorous security program for federal cloud products and services. (Courtesy photo)
John Keese knows, better than most cloud computing contractors, the cost of doing business with the federal government.
Keese’s North Carolina-based firm, Autonomic Resources, is the only cloud provider to have completed a rigorous security program for federal cloud products and services. Industry experts say the security reviews can cost hundreds or hundreds of thousands of dollars depending on a company’s size and the types of technology requiring testing.
“It’s a matter of managerial commitment to say we need to do it,” Keese said of the program. “It costs money. It cost me lots of money, but you put your investment where the government is heading.”
By June 2014, all cloud services and products used by federal agencies must meet Federal Risk and Authorization Management Program standards. In a race to meet that deadline, many companies aren’t adequately planning for the cost, time and security demands of FedRAMP.
“The biggest obstacle to Fed-RAMP authorization that [cloud companies] face is lack of preparation,” said David Svec, a principal at Veris Group, which specializes in cybersecurity services for industry and government. In an effort to enter the federal cloud market as early as possible, many companies are requesting security reviews prematurely, Svec said in an October paper on FedRAMP success factors. This wastes resources and inevitably prolongs the process, he said.
FedRAMP’s ability to speed adoption of cloud services in the federal government depends largely on how many and how quickly companies receive Fed-RAMP certification.
By now, the government had hoped to have two or three companies complete independent security reviews required by FedRAMP, and additional scrutiny and endorsements from a joint board of chief information officers from the General Services Administration and the Defense and Homeland Security departments.
Since the program’s June launch, Autonomic Resources is the only company to have completed the process. More than 80 companies are awaiting reviews, said Katie Lewin, who heads the Federal Cloud Computing Initiative Program Management Office at GSA.
“Until you meet [FedRAMP] security requirements, agencies are going to be hesitant about where they put their virtual assets,” Keese said.
Some agencies, such as the Interior Department, are already requiring potential cloud contractors to meet FedRAMP standards.
‘More than just documentation’
FedRAMP “is a lot more than just the documentation; it’s really making sure that all the security controls … can be met,” said Svec, whose company performed the independent security review of Autonomic’s cloud offering.
In preparation for the review, companies should be able to verify how they encrypt data and clearly define what hardware, software, personnel and physical locations are used to support their federal cloud business, Matt Goodrich, FedRAMP project manager, said during a webinar this month.
Goodrich said some cloud providers use an outside firm to help them prepare the FedRAMP documentation describing how federal data stored in the cloud will be protected.
A separate independent security review firm, called a third-party assessment organization, verifies the documentation, a step that can take a month and a half.
Overall, the FedRAMP process takes a minimum of six months, and that’s assuming cloud providers have thorough documentation.
To prepare for security assessments, Goodrich said cloud providers should:
Ensure the third-party assessor has personal contacts for at least three people within the company, including a representative from the company’s 24-hour security operations or network operations centers.
Ensure staff know when the assessor will be on site to test security.
Provide the security assessor with a list of the facilities to be reviewed, including the addresses.
Provide the assessor with adequate access to facilities and personnel, as needed, to verify security requirements.
“The process consumed our staff in significant ways, but we dedicated people to do that,” Keese said. “We went in with eyes wide open.”
As a vendor on two GSA cloud contracts, Keese’s firm had been through a similar GSA review. The agency’s cloud assessment and authorization was a precursor to Fed-RAMP.
Since completing FedRAMP, Keese has received numerous calls from interested agencies, including the Defense Information Systems Agency and the Air Force.
But some companies, including foreign companies, seeking Fed-RAMP certification have never done business with the federal government, said Paul Nguyen, vice president of cyber solutions at Reston, Va.-based Knowledge Consulting Group. FedRAMP will be harder for them.
Keese said companies shouldn’t expect an immediate return for investing in FedRAMP, which industry experts say could cost up to hundreds of thousands of dollars for security reviews and even more in the long term to continuously monitor the security of those cloud services.
“They have to understand it’s a necessary part of doing business with the federal government,” Keese said.