Federal gov't releases draft cloud security guidelinesCIO Council this week released a draft document outlining a proposed government-wide cloud computing risk and authorization management program.
The Federal Risk and Authorization Management Program (FedRAMP) was developed to provide a standard approach for assessing, authorizing and monitoring cloud computing services and products used by the federal government.
The proposed program is outlined in a 90-page draft document, released Tuesday. It will promote a faster and more cost-effective method of acquiring cloud computing systems by allowing services to be authorized once, and then used by multiple agencies, the document states.
The first phase of FedRAMP is expected to go live during the first quarter of 2011.
“The ability to embrace cloud computing capabilities for federal departments and agencies brings advantages and opportunities for increased efficiencies, cost savings and green computing,” the draft document states. “However, cloud computing also brings new risks and challenges to securely use cloud computing capabilities as good stewards of government data.”
FedRAMP appears to answer some of the concerns detailed in July by the U.S. Government Accountability Office, which concluded in a report that nearly all federal agencies lack policies around securing data hosted in the cloud and that a lack of government-wide guidance appeared to be the major holdup.
Security is a primary barrier to cloud adoption for many organizations, according to a survey released last month by multifactor authentication provider PhoneFactor. In the survey of 300 IT professionals, 42 percent of respondents said security concerns have held their company back from adopting cloud computing.
Preventing unauthorized access to data is one of the chief concerns associated with cloud computing, Steve Dispensa, CTO and co-founder of PhoneFactor, told SCMagazineUS.com in an email Thursday.
“Cost-conscious organizations (including the federal government) want to take advantage of the savings of cloud computing, but security is a huge hurdle,” Dispensa said. “Providing a centralized framework for verifying the security of cloud systems will make it easier for federal agencies to evaluate the level of security and ultimately make the move toward cloud computing.”
The FedRAMP draft outlines a list of baseline security controls for cloud computing systems, a process to continuously monitor systems and a description of the proposed approaches for authorizing and assessing systems.
The document was developed over the past 18 months by a team of individuals from government, the private sector and academia, including individuals from the National Institute of Standards and Technology, General Services Administration, CIO Council, state and local government, and the private sector.
The government is seeking input about the proposal and ideas about the appropriate security controls and processes that should be considered for the federal government's move into cloud computing, federal Chief Information Officer Vivek Kundra wrote in the document's preface.
Comments can be submitted until Dec. 2. At the end of the feedback period, representatives from across government will review all comments for consideration in the final document.
A growing number of federal agencies are running some form of cloud computing, but nearly all lack policies around securing data hosted offsite, according to a new report from the U.S. Government Accountability Office (GAO).