A paper co-authored by a former government executive who occupied the position now known as the federal chief information officer recommends greater integration of cybersecurity efforts with federal cloud adoption.
"It all boils down to one thing. Do the cloud providers have skin in the game?" Jeff Eisensmith said at the Federal Cloud Computing Summit in Washington, D.C. Eisensmith said a requirement to buy insurance for everyone whose personally identifiable information is lost can be the basis for security in a service level agreement.
WILLIAMSBURG, Va. – Federal adoption of commercial cloud computing complicates efforts to secure network perimeters because "neither agencies nor their cloud service providers understand...
Poor governance and risk management are putting NASA systems in the cloud at risk, finds NASA's inspector general in a July 29 report (.pdf). Auditors found that, unbeknownst to the NASA CIO, NASA centers moved systems and data to public clouds. While NASA's CIO developed a contract, called "WestPrime," in December 2012 for public cloud services that addresses business and IT security risks in accordance with FedRAMP, centers are not required to use the contract, says the IG.
The American Association for Laboratory Accreditation, in a " long-planned privatization," will now vet third party assessment organizations (known as "3PAOs") under the GSA-led FedRAMP program, under which private sector cloud providers seeking to sell low- and moderate-risk cloud services to the government must gain certification from a 3PAO that their offerings comply with a set of security controls (.zip).
Agencies seeking to move services to the cloud retain responsibility for ensuring the security of those services, the National Institute of Standards and Technology says in a draft special publication that proposes a security reference architecture for cloud computing. NIST's intent is to ultimately map the components to specific controls in SP 800-53, said Michaela Iorga, NIST senior security technical lead for cloud computing.
"There is a need, in terms of clarity, of what the broker's role is," said Ouyachi, while speaking at the Federal Cloud Computing Summit in Washington, D.C. A FedRAMP program for cloud brokers would be "an interesting concept," he added. Certifying brokers through a FedRAMP process could ensure transparency into the broker's relationships and also clarify roles and responsibilities, said Ouyachi.
The General Services Administration is analyzing how the National Institute of Standards and Technology's recently released Special Publication 800-53 revision 4 will impact FedRAMP.
The National Institute of Standards and Technology released April 30 its fourth version of Special Publication 800-53, the catalog of controls most agencies utilize in their cybersecurity programs. We spoke that day with Ron Ross, NIST Federal Information Security Management Act implementation and leader of the joint task force that put together the new revision.
The Defense Information Systems Agency announced April 16 it has achieved initial operational capacity as the commercial cloud computing middleman for the Defense Department--despite its acknowledgment that it has yet to fully approve for DoD use any FedRAMP-authorized commercial cloud service providers.