Keeping the cloud secure
By Marjorie Censer,
The government will soon roll out a program that could offer a smoother path for companies that want to sell their cloud services and products to federal agencies.
The General Services Administration is readying what’s known as FedRAMP (shorthand for the Federal Risk and Authorization Management Program), an initiative to standardize the security of cloud products and services and accelerate their adoption.
Local contractors have been increasingly focused on the cloud, particularly since the federal government implemented a “cloud-first” strategy in 2010. Advocates say cloud computing is more efficient as it relies on shared computing resources rather than individual servers and other equipment.
Still, “the number one issue for years in cloud has been security,” said David L. McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies. “It’s always been one of the preeminent concerns that [chief information officers] express when you ask them ... are you going to move your services.”
FedRAMP is meant to address those issues. The GSA is to announce later this month a batch of third-party assessment organizations, or companies approved to evaluate those who want to provide cloud services to the government.
As of June 6, the GSA expects to start an initial version of FedRAMP, and a joint authorization board — made up of the chief information officers from the Pentagon, the Department of Homeland Security and GSA — is to begin evaluating applications from cloud service providers that have been assessed by the third parties.
McClure said the process will reduce the redundancy of multiple agencies evaluating the same cloud product. The program should save “enormous amounts of time and money that we currently invest as a government in security reviews,” he said.
For companies, the program promises to provide a quicker way to sell to the government.
“We see FedRAMP as a next step in the evolution of cloud computing adoption and execution,” said Seth Finkel, vice president for emerging technology at Chantilly-based Apptis. “FedRAMP is going to make it more difficult for folks to fake it.”
Apptis, which was acquired by URS, has already had in place a partnership with Amazon Web Services, and the two companies’ cloud infrastructure offering has already been certified through an existing GSA program.
Shawn P. McCarthy, research director at IDC Government Insights, said many of the larger contractors with experience integrating various systems will likely be well positioned in the program’s early stages.
But he expects FedRAMP to potentially make it easier for software companies to work directly with the government, rather than using systems integrators or larger firms to sell their business.
Microsoft has been closely following FedRAMP, said Susie Adams, chief technology officer for Microsoft’s federal business.
“As a cloud service provider, what we don’t want to have to do is create separate security packages” for every agency, Adams said. “We are really hoping ... we’ll be able to do this and have other agencies leverage a single package over time.”
Still it could take GSA and contractors some time to adjust to FedRAMP, which is expected to be rolled out in phases.
“It’s a lot of bureaucracy, and it’s going to take a while to work out all the kinks,” said Jason Bloomberg, president of McLean-based cloud company ZapThink.