The US government is hard at work consolidating its data centers, and trying to optimize its operations. This effort is driving a lot of public sector IT onto cloud-based deployments, and indeed there is now a policy of creating no new data centers, and using the cloud instead. 

Howeverr, these are government operations, which must address a myriad of security and regulatory requirements, so a lot of the inherent simplicity of the cloud model is lost, at least for those responsible for security and compliance issues. Various government initiatives are attempting to recover that simplicity, while retaining the rigor required by the public sector. And the private sector is benefitting from the programs that are being developed.

us government america capitol president thinkstock photos andrea izzotti tall
– Thinkstock / Andrea Izzotti

Organizing security risks

The US government set out its security requirements in FedRAMP (the Federal Risk and Authorization Management Program), which simplifies the decision process for government agencies, by providing a pre-approved list of certiified cloud providers. 

FedRAMP took a basic approach - surprisingly enough, the most obvious one. It uses the concept of hybrid clouds to address security and compliance with a combination of on-premises clouds and public clouds. Different clouds, depending on where they are hosted, can support different levels of security and compliance requirements, so as to meet the specific needs of specific projects, while still provideing cloud-style eas of use. 

Government agencies who have been early adopters of the technology have begun to provide cloud services to other agencies. The best known of which is DISA (Defense Information Systems Agency) which provides email and collaboration services throughout the Department pf Defense. Another example is the website, which despite its applicability to a huge swath of American citizens looking to understand their government benefits, is actually hosted by the Department of Agriculture’s National Information Technology Center cloud, rather than in a directly related branch of the government.

List of requirements

Both FedRAMP and DISA have released requirements for providing compliant cloud systems to the Federal government. FedRAMP starts with the requirement of mapping to the Federal Information Security Management Act (FISMA) baselines, as defined by National Institute of Standards and Technology (NIST) 800-53, originally for just low and medium impact information, but in 2015 the high-impact baseline standards were added.

As additional vendors get certified at the high-impact level we can expect a rapid acceleration of adoption

The DOD was initially hesitant to give individual agencies the ability to negotiate for services with DISA originally handling all negotiations for services from public cloud vendors, but eventually decided that individual DoD agencies could make their own public cloud deals, pursuant to the guidelines outlined in their cloud computing security requirements guide (SRG), which included requirements above and beyond those necessary to meet FedRAMP compliance. Despite these additional requirements, services that meet the requirements of the SRG can only be used for the lowest levels of secure information within the DoD; those items that are unclassified or classified as Secret.

NIST 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, is the critical defining document for FedRAMP compliance. It’s catalog of security controls related to system availability, confidentiality and integrity are further defined into specific requirements that must be met to demonstrate FedRAMP compliance. A vendor offering a compliant system does not need to meet all three impact levels, but at this point in time, most vendors have offerings that meet the low and medium impact levels, with major vendors looking to get their cloud services approved for the high-impact level, which includes securing information that could have a sever negative effect on individuals, organizations, or operations if made public.

High impact approvals

Three cloud service providers, Amazon Web Services (AWS), Microsoft Azure and a specialist provider CSRA/Autonomic, participated in a pilot program to achieve the first high impact baseline authorizations as part of the process for releasing the baseline requirements to the public in April 2016. This program involved adding approximately 100 additional controls beyond those required for the moderate baseline. Much of the additional work is focused on providing higher levels of encryption, additional methods of authentication, and specially focused training for service provider personnel.

As of mid-2016, there are almost 50 FedRAMP compliant cloud service providers. To be on this list, the SCP has to have through the technical review by the FedRAMP Program Management Office (PMO) and an accredited third-party assessment organization (3PAO). These 3PAOs have an ongoing responsibility as under the current rules, no CSP may remain on the FedRAMP Ready list for more than one year, motivating working with the 3PAO to achieve FedRAMP Compliant certification.

3PAOs, which are certified by FedRAMP, make use of the standardized FedRAMP templates, as the security assessment model. To get to the point of being FedRAMP Ready, there are a dozen steps that must be met and evaluated during the initial review process, as outlined on the FedRAMP website.

Three ways to get on the list

There are three ways that a CSP can make it on to the Compliant list. The first is to independently develop a CSP Supplied Package which requires that an accredited 3PAO has assessed a completed Security Assessment Package which is supplied to the PMO for approval.

The second is to receive a provisional authorization (P-ATO) from the Joint Authorization Board, which according to the FedRAMP website, consists of the CIOs for the Department of Homeland Security, Department of Defense, and the General Services Administration. This authorization is received only after a stringent review by the PMO. A P-ATO alone does not automatically mean that the CSP is authorized to provide services. An authorization is still required which is achieved when a specific government agency elects to use the P-ATO certified CSP and includes that vendor in its own security authorization process for the desired CSP and applications.

us government america capitol president thinkstock photos andrea izzotti tall
– Thinkstock / Andrea Izzotti

The third method is for a CSP to work directly with a government agency to achieve a compliant Authority To Operate (ATO) . In this case the work is done by the CSP and their client agency and then submitted to the PMO for review and authorization.

The first ATO under the FedRAMP program was issued in 2012 to CSRA. In the four years since other vendor efforts have simplified acquisition of cloud services by government agencies, for both on-premises and public cloud. Multiple vendors, such as Microsoft and Amazon have built large scale dedicated data centers focused specifically on servicing government contracts and Amazon is even building a data center to spec for a federal agency on a military base in Virginia to provide dedicated cloud services.

As additional vendors get certified at the high-impact level we can expect a rapid acceleration of adoption by agencies within the DoD and DHA as this will remove some of the major obstacles for dealing with the huge amount of data that those agencies collect that is classified at these levels. To all indications it appears that the “critical mass” point has been reached in establishing the government standards for deploying hybrid cloud services with the US federal government.