The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program established in December 2011 to speed the adoption of cloud computing. FedRAMP includes a set of requirements for federal cloud computing and universal procedures for approving services and providers to work with the government. When contractors feel that they have met FedRAMP requirements, they must have their security control implementations independently verified and validated by a FedRAMP accredited Third Party Assessment Organization for compliance which then submits a security assessment package for review by the cross-agency Joint Authorization Board (JAB) . FedRAMP is expected to be operational by June and will be mandatory for all government cloud deployments of low to moderate risk levels except for single agency private clouds. Agencies can also add additional requirements on top of the FedRAMP controls. The goal is to establish standards to ease fears about cloud security while saving time and labor through one federal standard rather than redundant agency standards, allowing organizations to leverage past approvals elsewhere.
After looking at over 1000 comments from government and industry, FedRAMP released its list of security controls earlier this month. The controls are based on the National Institute of Standards and Technology special publication 800-53, Revision 3, which are already in place for each federal agency through the Federal Information Management Security Act (FISMA), with additions relating specifically to security in the cloud. The 800-53 standards are characterized by measures to ensure the consistent application of security practices and continuous monitoring of near-real time data.
Additions include controls to deal with trust on shared resources and to dictate secure practices for Platform-as-a-Service, Software-as-a-Service, and Infrastructure-as-a-Service. PaaS and IaaS are to have session locks and SaaS needs to have cryptography up to federally mandated standards. Service providers must support the capability to produce, control, and distribute asymmetric cryptographic keys. Identity and privilege are to be tightly managed, with means to identify foreign nationals and contractors on government networks and enforce role-based access controls at the file, table, row, column, or even cell level if necessary. There are extensive documentation requirements. Service providers must maintain a list of software programs authorized to execute on the information system and submit it to the JAB for approval, and must also document all outsourced security services as well as conduct a risk assessment of future outsourced security services to be approved by the JAB. To gain authorization, service providers must also submit updated code analysis reports and, in the Continuous Monitoring Plan, how new code will be reviewed. The JAB must also approve a list of security functions that must be routed for DHS monitoring such as authentication and resource provisioning and what internal communications traffic will be routed through authenticated proxy server to which external networks. Service providers are to logically or physically separate administrator information security tools, mechanisms, and support components and set resource allocation priorities for the moderate impact systems. The full list of controls contains more additions and specifics.
FedRAMP has already gotten a mixed response. Government executives say that the program will speed up the adoption of cloud computing by simplifying the authorization process for cloud services. If a Third Party Assessment Organization and the Joint Authorization Board find a service to be compliant, any and all government agencies can adopt it. That is, however, only if individual agencies don’t add too many additional conditions to the controls, which some researchers fear will happen. Also, as noted above, the authorization process is very documentation intensive with many steps that may create a bureaucratic nightmare as cloud services rush to get authorized. Rather than speed up the adoption of cloud services, FedRAMP could create a bottleneck. To combat this, the JAB intends to view authorization packages in order of priority and grant provisional authorization if necessary.