|
By Mark Henricks
Eighteen months in the making, the federal government’s
proposed standard for cloud computing security has been unveiled
and is now receiving comments. The Federal Risk and Authorization Management
Program (FedRAMP) as proposed builds on existing guidelines for government IT
systems from the National Institute of Standards and Technology. Commenters
have until Dec. 2 to submit comments.
FedRAMP is intended to let federal agencies use cloud
services that have been vetted according to a government-wide security
standard. Many federal agencies are interested in implementing cloud-based
solutions, but are hesitant because of unresolved security issues. As the
proposed standard notes at one point, “The decision to embrace cloud computing
technology is a risk-based decision, not a technology-based decision.” It’s
anticipated that having a set of pre-approved, government-wide security
benchmarks will speed certification and accreditation of cloud computing
products and services.
The new standard addresses three cloud service models,
including Software as a Service (Saas), Platform as a Service (Paas), and
Infrastructure as a Service (IaaS). The baseline benchmarks specify processes
and procedures for security matters ranging from access control policies and
remote access to security training and audits. The source for most of these
standards is the NIST’s Special
Publication 800-53R3.
The General Services
Administration and CIO Council have been working with NIST, state and local
governments, academics and non-governmental organizations for the last 18
months to produce the widely anticipated drafts. The announcement by Kundra’s
office indicated that the first phase of the new security standards will be
implemented in the first quarter of 2011.
Until Dec. 2,
comments will be accepted online from government sources, private organizations
and the public at large. Comments can be submitted through links found at the
FedRAMP website. The same site also
contains downloadable documents pertaining to the proposed standard.
In addition to providing information about the draft
standard online, the General Services Administration will hold a pair of
information sessions during the comment period. One will be for government
agencies. The other is for vendors. Both will take place in Washington, D.C.
Vendors have been as interested in the standards as federal
agency IT professionals, because lack of broad-based security standards have
held up what are expected to be sizable volumes of government purchases of
cloud products and services. Adhering to the security benchmarks will be
voluntary, but vendors will likely sign on to them in large numbers in order to
tap the federal procurement markets.
However, the announcement for the new standards informed
commercial vendors that they cannot directly request FedRAMP authorization for
their offerings. Requests for FedRAMP’s stamp of approval must initiate with a
federal agency that is using or planning to use a cloud product or service. The
statement to vendors noted that it may not be possible to initially accommodate
all requests for FedRAMP certification. In that case, the priority will go to
systems that will have a large user base or that will be used by multiple
Federal agencies.
Only registered users can write comments.
Please login or register. |
