Yesterday, I hosted a panel at the Cloud Computing summit focused on cloud security for the federal government. The panel was made up of some smart folks: Alex Hart from VMware, Bob Wambach from , and one of the primary authors of the Cloud Security Alliance guidelines, Chris Hoff from Cisco.
While these folks offered great contributions, most questions were focused on the fourth member of the panel, Peter Mell from NIST, the chair of the Federal Cloud Computing Advisory Council. Why? Let’s just say that Mell may be the single individual most focused on cloud security in the world. He has been tasked with defining cloud computing standards for the entire federal government–a big responsibility since President Obama and Federal CIO Vivek Kundra continue to trumpet the benefits of cloud computing and push federal agencies to adopt pilot projects.
Mell’s work will soon come to fruition when the feds introduce the Federal Risk and Authorization Management Pilot program (FedRAMP). FedRAMP has two primary goals:
Since FedRAMP is still a work in progress, the audience made up of federal IT people had a lot of questions about all of the fine points. Thus Mell was in the hot seat for most of the time.
Peter Mell deserves a lot of credit. Federal agencies have often acted independently with regard to IT, so Mell and his team are herding cats.
If FedRAMP works, cloud service providers can deliver to a single set of standards. This will encourage innovation and bolster competition. On the agency side, FedRAMP could pave the way for a wave of cloud computing consumption over the next few years. What happens if FedRAMP fails? The federal government becomes difficult to service, so most cloud service providers treat it as a market niche. If that happens, the federal government could lose its cloud computing leadership and momentum very, very quickly.
Related posts:
Tags: Cisco Systems, EMC, FedRAMP, NIST, Peter Mell, President Obama, Vivek Kundra, VMware
Learn more and get started on the Cloud for free at http://frontrunner.msdev.com/whyjoin/windowsazure.aspx
When you join the Microsoft Front Runner program, you can access one-on-one technical support by phone or e-mail from our developer experts, who can help get your applications in the cloud. Once your application is compatible, you’ll get a range of marketing benefits to help you let your customers know that you’re a Front Runner.
You know what? Agencies don’t get a free pass in all this. This is the same information which has been touted time and time again in the C&A world. One agency may use the certification and assessment of another IF they review it and find it acceptable, then the agency must authorize the system for use. FISMA requires the agency heads to be responsible for IT security risk. This cannot be transferred as the mission of each agency is different as is the information it processes, stores or transmits.
According to OMB Memorandum 04-21 (April 21st, 2010) which is signed by Kundra:
36. Must Government contractors abide by FISMA requirements?
Yes. Also, each agency must ensure their contractors are abiding by FISMA requirements. Section 3544(a)(1)(A)(ii) describes Federal agency security responsibilities as including “information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.” Section 3544(b) requires each agency to provide information security for the information and “information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.” This includes services which are either fully or partially provided, including agency hosted, outsourced, and software-as-a-service (SaaS) solutions.
It later goes on to mention:
1) Service providers — this encompasses typical outsourcing of system or network operations, telecommunications services, or other managed services (including those provided by another agency and subscribing to software services). Agencies are fully responsible and accountable for ensuring all FISMA and related policy requirements are implemented and reviewed and such must be included in the terms of the contract. Agencies must ensure identical, not “equivalent,” security procedures. For example, annual reviews, risk assessments, security plans, control testing, contingency planning, and security authorization (C&A) must, at a minimum, explicitly meet guidance from NIST. Additionally, IGs shall include some contractor systems in their “representative subset of agency systems,” and not doing so presents an incomplete independent evaluation.
You’ll note that it states “identical.” FedRamp does not provide “identical” security to the existing agency systems as fundamentally it has been processed through a different authorization process as other Agency systems. OMB/NIST needs to get on the same page with its message!
Recall that OMB has regulatory authority that can impact all agencies, while NIST provides guidelines in the special publications which specifies in the forward of each document not to supercede the authoriity of agency policy.
Respectfully, Jonathan Griffith – CISSP, CAP
Name (required)
Mail (will not be published) (required)
Website
Your email:
