Latest Headlines

Latest Headlines

New FedRAMP controls baseline coming this summer

Private sector cloud computing providers will have a changed set of security controls to adhere to when selling to federal agencies starting later this summer.

Spotlight: DoD approves Amazon cloud

All military services and Defense Department components are now permitted to lease computing space through Amazon Web Services.

Integrate cybersecurity with federal cloud computing adoption, says Karen Evans

A paper co-authored by a former government executive who occupied the position now known as the federal chief information officer recommends greater integration of cybersecurity efforts with federal cloud adoption.

Private sector cloud is secure? Prove it with an insurance policy, says DHS official

"It all boils down to one thing. Do the cloud providers have skin in the game?" Jeff Eisensmith said at the Federal Cloud Computing Summit in Washington, D.C. Eisensmith said a requirement to buy insurance for everyone whose personally identifiable information is lost can be the basis for security in a service level agreement.

Spotlight: Commercial cloud computing blurs federal network perimeters

WILLIAMSBURG, Va. – Federal adoption of commercial cloud computing complicates efforts to secure network perimeters because "neither agencies nor their cloud service providers understand...

Cloud management at NASA disjointed, risky, says OIG

Poor governance and risk management are putting NASA systems in the cloud at risk, finds NASA's inspector general in a July 29 report (.pdf). Auditors found that, unbeknownst to the NASA CIO, NASA centers moved systems and data to public clouds. While NASA's CIO developed a contract, called "WestPrime," in December 2012 for public cloud services that addresses business and IT security risks in accordance with  FedRAMP, centers are not required to use the contract, says the IG.

GSA privatizes 3PAO accreditation under FedRAMP

The American Association for Laboratory Accreditation, in a " long-planned privatization," will now vet third party assessment organizations (known as "3PAOs") under the GSA-led FedRAMP program, under which private sector cloud providers seeking to sell low- and moderate-risk cloud services to the government must gain certification from a 3PAO that their offerings comply with a set of security  controls  (.zip).

NIST outlines cloud security management overlay

Agencies seeking to move services to the cloud retain responsibility for ensuring the security of those services, the National Institute of Standards and Technology says in a draft special publication that proposes a security reference architecture for cloud computing. NIST's intent is to ultimately map the components to specific controls in SP 800-53, said Michaela Iorga, NIST senior security technical lead for cloud computing.

FedRAMP for cloud brokers would be valuable, say panelists

"There is a need, in terms of clarity, of what the broker's role is," said Ouyachi, while speaking at the Federal Cloud Computing Summit in Washington, D.C.  A FedRAMP program for cloud brokers would be "an interesting concept," he added. Certifying brokers through a FedRAMP process could ensure transparency into the broker's relationships and also clarify roles and responsibilities, said Ouyachi.

Spotlight: GSA assessing impact of SP 800-53 rev. 4 on FedRAMP

The General Services Administration is analyzing how the National Institute of Standards and Technology's recently released Special Publication 800-53 revision 4 will impact FedRAMP.