The General Services Administration earlier this week unveiled a single authentication standard for government cloud-computing services.
The Federal Risk and Authorization Management Program, known as FedRAMP, will standardize the basic security requirements that cloud-computing providers, such as Google and Microsoft, will have to meet before receiving government contracts.The new guidelines will require contractors to hire third-party assessment organizations that will verify whether they meet the basic security requirements.
The program, developed by GSA, the Defense and Homeland Security departments and the Office of Management and Budget, will set one government-wide cloud security program, which means a vendor such as Microsoft would not have to repeat the security approval process every time it wants to bid on a cloud-computing contract.
FedRAMP’s Web site lists nine accredited third-party assessment organizations that vendors can use to authenticate more than 160 basic security controls, including spam filter capabilities and encryption standards.
This is the latest development in the White Houses’s cloud-first policy, to streamline many government computing functions. Cloud services are often more efficient and more secure than computing handled in house, said Steven Van Roekel, the U.S. chief information officer.
“The key to security is consistency,” Van Roekel said in an interview. “When you’re in these disparate federal systems you don’t have as many consistent guidelines or controls as companies do on one system.”
The guidelines announced Wednesday set up that consistent standard.
They come as the government is consolidating computer services, such as e-mail, to cloud-based systems. As an example, a single federal agency may operate on more than a dozen separate e-mail systems. The Agriculture Department recently shifted from 21 e-mail providers to one cloud system provided by Microsoft.
The initiative should also help smaller vendors compete for cloud-computing contracts, said Dan Cruz, GSA’s deputy press secretary.
“FedRAMP’s model of ‘do once, use many times’ is helpful to smaller cloud service providers seeking to do business with the federal government by eliminating the need to expend resources for duplicative security authorizations with each federal agency,” he said.