As many as 20 cloud computing vendors will be certified for federal use under a new security assessment program when it launches in June.
The General Services Administration, which manages the Federal Risk and Authorization Management Program (FedRAMP), has said that companies already providing cloud technology to agencies under GSA’s Infrastructure-as-a-Service contract will be among the first to have their technology vetted through the program.
Vendors on GSA’s upcoming Email-as-a-Service contract will also be given priority. After being vetted and meeting any additional standards to ensure security, companies are approved to offer their products and services for sale to agencies. Anywhere from six to 20 contractors will go through FedRAMP in the first six to eight months, said Dave McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies.
“It is not going to be a situation where we will be drowning in FedRAMP applications,” McClure said in an interview this month. “We want to roll this out very cautiously and carefully, [and]make sure it works.”
By fiscal 2014, FedRAMP will be a sustaining program and all products are expected to go through the process, he said.
FedRAMP security requirements, largely based on standards set by the National Institute of Standards and Technology, will apply to information technology systems at the low and moderate security levels.
For example, vendors must be able to prove that they use two-factor authentication. Their systems operators, must have two forms of evidence, such as a password and identification card, to verify who they are before accessing systems that provide government services.
Vendors and agencies will have a year to comply with updated security standards, which NIST expects to release in July.
NIST identified gaps in previous guidance to address new challenges, such as insider threats, supply chain risk, and mobile and cloud computing technologies, said NIST fellow Ron Ross in an interview.
NIST standards address the need for cloud vendors to detail where government data is physically stored and processed and to provide a clear contingency plan in case of a terrorist attack or cyber incident.
According to the most recent data from 2009, agencies spend $300 million annually to test the security of IT systems and approve their use in the federal government.
“One of the promises and the benefits of FedRAMP is that we think it will save about 30 to 40 percent of governmentwide costs associated with assessing, authorizing, procuring and continuously monitoring these cloud solutions,” federal Chief Information Officer Steven VanRoekel said in December when announcing FedRAMP. The government spends “hundreds of millions of dollars a year securing information technology systems, and much of that work is duplicative, inconsistent and time-consuming.”
FedRAMP will allow agencies to reduce the number of people it takes to assess and authorize the security of its systems by 50 percent and cut the assessment time by 75 percent, according to the Office of Management and Budget.