And just like that, Shamun is back with his expanded thoughts on the GAO’s Cloud First findings. If you missed yesterday’s review of the first of the seven findings, click here.
Quick recap: Earlier this month the Government Accountability Office released the results of their study on the Office of Management and Budget’s (OMB) Cloud First policy. The GAO assessed the progress of selected agencies and identified challenges they are facing in implementing the policy. Shamun covers the next three findings in today’s post and will wrap up the series with the remaining for later this week.
• Obtaining guidance: Existing federal guidance for using cloud services may be insufficient or incomplete. Agencies cited a number of areas where additional guidance is needed such as purchasing commodity IT and assessing Federal Information Security Management Act security levels.
FedRAMP reviews and authorizes cloud computing systems at the FedRAMP low and moderate impact levels. Currently, FedRAMP does not focus on FISMA high impact levels.
However, like FISMA, FedRAMP has several levels of impact. In order for a cloud service to become authorized at the FedRAMP “Low” level, it needs to meet the implementation requirements of 168 security controls. For FedRAMP “moderate” authorization, the implementation of an additional 45 security controls must be attained, bringing the total to 213 security controls,
Guidance for agencies is readily available and highly recommended. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service is a joint publication of the Federal CIO Council and Chief Acquisitions Officers Council.
This paper is the next step in providing agencies with specific guidance in effectively implementing the “Cloud First” policy and moving forward with the “Federal Cloud Computing Strategy” by focusing on ways to more effectively procure cloud services within existing regulations and laws. Since the government holds the position as the single largest purchaser in this new market, agencies have a unique opportunity to shape the way that cloud computing services are purchased and consumed across all industries.
• Acquiring knowledge and expertise: Agencies may not have the necessary tools or resources, such as expertise among staff, to implement cloud solutions. DHS officials explained that delivering cloud services without direct knowledge of the technologies has been difficult. Similarly, an HHS official stated that teaching their staff an entirely new set of processes and tools — such as monitoring performance in a cloud environment — has been a challenge. For example, an HHS official noted that the 25-Point Plan required agencies to move to cloud-based solutions before guidance on how to implement it was available. As a result, some HHS operating divisions were reluctant to move to a cloud environment. In addition, Treasury officials noted confusion over National Institute of Standards and Technology (NIST) definitions of the cloud deployment models, but noted that recent NIST guidance has been more stable.
This past February, GSA released the FedRAMP Concept of Operations (CONOPS) document. This document provides guidance on the operations and the relationships between it and other reference documents for FedRAMP.
FedRAMP uses a “do once, use many times” framework that intends to save costs, time, and the amount of staff required to conduct redundant agency security assessments and process monitoring reports. The CONOPS document describes all the services that will be available at initial operating capability. The concept will be updated as the program evolves toward sustained operations.
• Certifying and accrediting vendors: Agencies may not have a mechanism for certifying that vendors meet standards for security, in part because FedRAMP had not yet reached initial operational capabilities.
As a part of the FedRAMP process, cloud service providers (CSPs) must use a FedRAMP approved third party assessor to independently validate and verify that they meet FedRAMP’s requirements. Third Party Assessment Organizations (3PAO) perform initial and periodic assessment of CSP systems, provide evidence of compliance, and play an on-going role in ensuring CSPs meet said requirements. FedRAMP provisional authorizations must include an assessment by an accredited 3PAO to ensure a consistent assessment process.
That’s all for now until part three of this series debuts tomorrow. Until then, check out my Benefits of FedRAMP whitepaper , a great resource for govies looking for more information on Cloud Computing.
Image courtesy of Espen
Share this article!