In the ongoing saga of Federal adoption of clouds one of the sticky wickets has been the requirement by law that all Federal information systems comply with the Federal Information Security Management Act of 2002, commonly referred to as FISMA.
In a very small nutshell FISMA requires that information systems comply with security guidelines that are the responsibility of the National Institute of Standards (NIST) and that these systems are monitored for vulnerabilities.
As new systems are developed they must be accredited – they must go through a formal Certification & Accreditation (C&A) process that has a voluminous checklist of items that must be validated by an independent auditor. Actual physical items like access to the equipment room, security of cableways, and type of walls in the room housing the system’s electronic components must be verified and validated by the auditor. Agencies typically spend around $200K to certify each new system – and it may take several months as well as rework to receive accreditation.
There are several characteristics of current public clouds that make them profitable to operate: (1) data can be stored in Kalamazoo or Timbuktu and the cloud user does not know or care as long as the provider guarantees the security – failure to do so results in loss of customers. (2) Storage, application software and database servers are shared among all users. (3) For Platforms as a Service the provider makes available a programming language to developers that pretty much ties that application to that provider for its life.
In a C&A inspection, co-location of your sensitive government application and data with other, unknown end users are a no-no. Storage outside the United States is a no-no. In fact, the lack of an ability to inspect the entire physical infrastructure is a big no-no.
So, what to do now that the Federal CTO and CIO are pushing Agencies to move to clouds to save power and other operating costs?
NIST has been working on this problem for about 18 months, deliberating with Agencies and commercial providers to come up with a solution that will permit Agencies to move to the Cloud with confidence that they are secure and have NIST’s blessing.
The Federal Risk and Authorization Management Program (FedRAMP) is a part of the solution. The FedRAMP process will provide for joint authorizations – Government-wide security requirements, a Joint Authorization Board to perform authorizations, and a new FedRAMP program office to manage the program and perform inspections. It is a voluntary program in that agencies could still choose to do their own assessments or require more stringent security requirements.
So it seems that the Government will sometime in the not too distant future be able to tell vendors interested in providing cloud services what the requirements will be and what they will need to do to gain authorization from the FedRAMP office-to-be.
A significant addition to your acronym list; we’ll see how it plays out.