In a blog post a few weeks back, we discussed the government policy of “cloud first.” The policy required government agencies to consider and evaluate the cloud for IT-related purposes. Of course, with anything government-related security is of the utmost concern. Therefore, the success of the policy hinges on the new government program FedRAMP (Federal Risk and Authorization Management Program), the goal of which is to evaluate security of cloud service providers for agencies enacting the cloud first policy.
According to the program’s website, it is “a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.” It aids the cloud first policy by setting a standard for basic security requirements that cloud service providers will have to meet before receiving any government contracts and aiming to accelerate the adoption of cloud technology. Cloud service providers (CSPs) can submit their company to be authorized by FedRAMP. Authorization requires four steps: 1) a security assessment, 2) leveraging the authority to operate, 3) ongoing assessment and authorization, and 4) accreditation by a third party (3PAO).
According to Steven Van Roekel, the U.S. chief information officer, the federal government aims to switch most of their processes to the Cloud because it is often more secure than performing the same functions in-house. This stems from the fact that the Cloud offers users the chance to maintain consistency in their computing practices: “The key to security is consistency. When you’re in these disparate federal systems you don’t have as many consistent guidelines or controls as companies do on one system,” Van Roekel said.
FedRAMP has produced a list of 160 security controls that 3PAO should look for when evaluating the CSP. They were selected from a NIST catalog of controls and are specified for the low and moderate impact information systems. The controls are broken down into the following categories:
- Access control
- Awareness and training
- Audit and accountability
- Assessment and authorization
- Configuration management
- Contingency planning
- Identification and authentication
- Incident response
- Media Protection
- Physical and environmental protection
- Personnel security
- Risk assessment
- System and services acquisition
- System and communications protection
- System and information integrity
Each of these categories has several controls and guidelines within it that specify various standards for CSPs. For example, under the physical and environmental protection category, there is a section that pertains to emergency shutoff; it specifies that the service provider must define emergency shutoff switch locations.
If FedRAMP is able to standardize cloud security practices, it may give the Cloud the final push it needs to dominate the IT world. At IronOrbit, we provide highly secure, customizable cloud solutions for SMBs. Our Orbital Security offers multiple levels of threat management to ensure that the network and your data are always protected.