FedRAMP Director Urges Layering and Stacking Approach to Cloud

The federal government’s chief advocate for streamlining cloud computing security authorizations urged service suppliers to work more closely together, not only so their solutions have the opportunity to be “approved once and used often” across government, but also so they might more easily stack upon one another.

Maria Roat has more than a casual interest in seeing the evolution of layered security authorizations. Roat, who was appointed in January to lead the Federal Risk and Authorization Management Program, believes the ability to combine authorized cloud services will be a boon for agencies as well as cloud service providers. FedRAMP is a government-wide effort to standardize and streamline the process for granting agencies the security authorizations they need to operate infrastructure, software and other cloud computing services.

Speaking at a technology forum in Washington, April 24, Roat highlighted how a small federal agency, which she declined to name, had been seeking security authorization for a software service and was able to build on the work of a large agency (also unnamed) which had similarly been seeking approval for an infrastructure-as-a-service.

The software service the small agency had purchased “uses one cloud service provider for the infrastructure and another for the software application,” she explained. However, “the small agency’s contract is with the software-as-a-service provider and not with the infrastructure-as-a-service provider. This is not an atypical arrangement,” she said.

The agency, however, is still obligated to authorize the infrastructure provider, not just software provider – “and ensure that the boundaries between each system address all the security controls,” she said.

“Through the old method of authorizing vendors, the small agency would not have had enough resources to do an entire review and authorization of the infrastructure provider,” said Roat.

But by working with both vendors through the FedRAMP process, the small agency was able to leverage the work being done at the large agency in a way that benefits the vendors as well as the agencies.

“Both vendors have to use the FedRAMP baseline to authorize their system and be able to fully describe their system, their boundaries, and the controls for implementation. Once that’s complete, the vendors can combine their documentation and testing,” she said. That provides the small agency – and others wishing to take advantage of it – with foundational authorization for the combined infrastructure and software services.

“Ultimately, there will be an authorization issued by the large agency for the infrastructure as a service and the small agency’s authorization that will combine the infrastructure authorization from the large agency and the software as a service they completed as well,” she said.

“Layering and stacking compounds the do-once-use-may-times (approach),” she said.

That is proving easier said than done, she acknowledged.

“Cloud partners need to have a strong understanding of where their respective security controls start and end,” she said, and many still aren’t able to articulate that.

“We’re finding there are some cloud service providers who are new to the FISMA (the Federal Information Security Management Act) process. And while they have extremely secure environments, getting them to understand and interpret the FISMA process is taking more time than expected.” That’s one reason why only two cloud service providers — Autonomic Resources LLC and CGI Federal – have been approved so far, although dozens a companies are currently under review.

But efforts to help suppliers continue to gain momentum, she said.

“FedRAMP program is moving from initial operating capability (IOC) to full operating capability (FOC) in June of this year,” she said. “It’s been a crawl, walk, run approach.”

“We’ve recently base-lined the end-to-end process to get security authorizations with the (FedRAMP) Joint Authorization Board,” which is overseen by CIO representatives from the Department of Homeland Defense, the Defense Department and the General Services Administration, whose Office of Citizen Services and Innovative Technologies manages the FedRAMP program.

“Internally, we knew the amount of time it would take for the reviews, but by base-lining, we’ve been able to set expectations for cloud service providers as well. If the baseline is six months for an (authorization to operate), its’ very clear throughout each step where the time frame can be shortened or lengthened (for testing, for instance).

However, “Cloud partners need to have a strong understanding of where their respective security controls start and end,” she stressed.