North Carolina-based Autonomic Resources last week became the only firm to complete a new security review process for all federal cloud products and services.
The Federal Risk and Authorization Management Program (FedRAMP) was launched in June to standardize security reviews of commercial cloud products. The program is housed within the General Services Administration.
As part of FedRAMP, a joint board of chief information officers from the Homeland Security and Defense departments and GSA reviewed Autonomic’s cloud offering and whether it met federal security standards. The company had to verify that it met some 300 security requirements, including proof that its systems operators, who have access to systems that provide government services, use two-factor authentication. This requires users to provide two forms of evidence to verify who they are before accessing the systems.
Autonomic is the first cloud vendor to receive a so-called provisional authority to operate (ATO) from the joint board of CIOs. The provisional ATO proves a vendor’s cloud services not only meet federal baseline standards, but also are secure enough for use by DHS, DOD and GSA.
The provisional ATOs are expected to speed adoption of cloud services throughout government because other agencies can accept the FedRAMP reviews and assess only their unique security requirements, as opposed to starting from scratch. “By using FedRAMP and eliminating redundant security assessments, agencies can save an estimated $200,000 per authorization,” GSA’s Dave McClure said in a statement.
By now, the administration had hoped to complete at least three FedRAMP reviews. In September, McClure said one challenge is that many vendors don’t understand federal security requirements.
The joint board expects to issue additional ATOs early this year, according to GSA.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements. Agencies can use FedRAMP guidelines to vet the security of their own contractors, or wait for FedRAMP reviews to be completed.