Federal officials have completed two test runs of the government’s new cloud computing assesment program to work out any kinks before the June launch.
The General Services Administration, which manages the Federal Risk and Authorization Management Program (FedRAMP), held training sessions for chief information officers from GSA and the Defense and Homeland Security departments to simulate their roles on an interagency review board, said Dave McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies. CIOs reviewed mock security assesments to discuss if they met FedRAMP standards.
Starting in June, the interagency board will review companies on GSA’s Infrastructure-as-a-Service contract and others that are providing similar services to agencies across government. Vendors that are not initially reviewed by the board will have to show they meet FedRAMP security standards through an approved independent assessor.
“We are trying to get the process worked out and tested,” McClure said. “How do we set this up so that we streamline [FedRAMP] and… become aggressive solution finders for answers to questions or problems?”
There is often miscommunication between the agency and vendor on what is acceptable proof to verify security of a service or product, said McClure, who spoke at an Association for Federal Information Resource Management event Friday morning. GSA will soon provide standard templates for agencies and cloud providers to use throughout the process, McClure said.
“It creates shared expectations up front… based on clear tangible documents that explain what needs to be done,” said Kathy Conrad, principal deputy associate administrator for GSA’s Office of Citizen Services and Innovative Technologies.
The interagency group of CIOs, called the joint authorization board, will have to meet virtually and in person to work through the FedRAMP review process, McClure said. The board will rely heavily on technical representatives to help review vendors’ security packets and streamline the review process.
Still, there are other issues that must be addressed, such as continuous monitoring.
GSA has not decided how the government will determine the ongoing security of its vendors. What information will be exchanged and who can access the information has not yet been determined, McClure said.
GSA is still working through program logistics, but CIOs are confident that FedRAMP will have many benefits.
FedRAMP will drive greater adoption of cloud computing in the federal government and spur increased competition for federal business, said DHS CIO Richard Spires, who also spoke at the event.
The program is also in line with the federal CIOs vision for shared services, said GSA CIO Casey Coleman.
“It’s not going to be perfect, but we have spent a lot of time trying to think through how to make sure this works well,” McClure said.