FedRAMP is mandatory for cloud providers, says McClure

If private sector providers of public cloud computing aren't at the very least able to provide two factor authentication for log-on access, they might as well not bother applying for provisional governmentwide authorization under the newly unveiled FedRAMP program, federal officials said at a Jan. 11 industry gathering.

Under FedRAMP, cloud service providers will apply for a provisional authorization that program officials say should be accepted across the government for low- and moderate- risk systems. All cloud service providers, with the exception of an agency setting up its own private cloud with no external users, must go through the FedRAMP provisional authorization process, said Dave McClure, associate administrator at the GSA's office of citizen services and innovative technologies. McClure and other FedRAMP officials spoke at a meeting hosted by industry association ACT-IAC in Vienna, Va.; GSA, along with the Homeland Security Department, funds the FedRAMP program.

Certification that cloud services meet minimal security controls (.zip) will be done by third party assessment organizations; the FedRAMP program office is now accepting applications for companies to act as an assessment organization. The first third party assessors are set to be announced in March or April and initial cloud service provider authorization should start rolling out by fall.

Other examples of controls without which an application for provisional authorization will be quickly returned is incident handling and reporting, the ability to monitor and control communications at the external boundary of the system and at key internal boundaries within the system, and separation of logical and physical devices within the authorization boundary, GSA officials said.

Those controls aren't the most important of the 116 total controls for low-impact systems and 297 controls for moderate-impact systems under FedRAMP, said Katie Lewin, program manager for cloud computing at GSA. But, they do constitute a first gate for examining the feasibility of provisional authorization of a cloud offering, she said.

Provisional authorization need be granted each time a significant change occurs to a public cloud offering, GSA officials said, although Matt Goodrich, FedRAMP program manager, acknowledged that "there will never be a full list on what constitutes significant change."

Were a provisionally-authorized infrastructure-as-a-service provider to add software-as-a-service, the new combined IaaS and SaaS service would obviously require new provisional authorization, officials said. However, if the IaaS infrastructure itself has not gone through significant change, the provisional authorization process would be able to leverage documentation from the previous IaaS provisional authorization.

Companies will not need sponsorship from a federal agency in order to gain provisional authorization, McClure said. But they will be required to pay third party assessors, he said, adding that it'll be up to the assessors to set up their own fee.

"We're not going to dictate pricing or anything like that. That's a market issue," he said. GSA itself will not charge companies a fee in order to become a certified third party assessor.

"We feel like that's an investment that's absolutely essential to get the [third party assessment organization] certified," he said.

Third party assessor must have ISO 17020 A or C certification, Goodrich said. Companies wishing to act as both a provider of cloud services and a third party assessor conceivably could do so, officials at the event said, but they would have to conform to firewall standards in the ISO standard.

For more:  
- download presentation slides shown during the FedRAMP event (.pdf)

Related Articles:
FedRAMP baseline controls released 
Federal officials launch FedRAMP