FedRAMP certification can’t come soon enough for cloud computing providers hoping for federal customers. The Federal Risk and Authorization Management Program is Federal CIO Vivek Kundra’s plan for having the General Services Administration assess and authorize cloud providers so that subsequent agency users wouldn’t have to go through their own security certification process. In other words, so people can sign up fast when they need cloud services.
Fierce Government IT reported that the FedRAMP set has reached agreement on the basics of cloud security controls — 114 controls already outlined by the National Institute of Standards and Technology (NIST) and several other continuous monitoring controls.
Even as numerous agencies move applications like e-mail to the cloud, CIOs and technical staff worry about security for more mission-related applications. This was made clear during a session at last week’s FedSMC (Federal Senior Management Conference) in Cambridge, Md. A crowded room listened as a discussion advertised to be about cloud computing really evolved into a cybersecurity discussion.
Brigadier General Steven Spano, the director of communications for Air Combat Command, said the private sector seems to have gotten the message about the importance of cybersecurity and the need for user and device authentication. He contrasted this with what he said is still the government’s main approach, namely perimeter security. That model, he said, is rapidly growing obsolete in an age of mobility and virtualization.
“Perimeter security and defense in depth — that’s yesterday’s model,” Spano said. “Now we need to be distrustful of every device, especially mobile devices.”
Even Lee Badger, one of NIST’s leading computer scientists, said, “We’re working on standards, but cloud is surging and we’re trying to keep pace.” NIST issued two draft cloud computing security documents in February and a wiki as part of its extensive work on cloud computing.
But there are other issues with cloud computing besides cybersecurity. With an 18-month timeline for moving a certain portion of their activities to the cloud, agencies are feeling pressure in other areas. Overlaid with the cloud-first policy is the imperative for closing 800 data centers by 2015. OMB is supposed to have a list of 100 already targeted, but the list hasn’t been released. Cloud and consolidation both point to virtualization, without which it would seem to be tougher to consolidate.
But as Spano pointed out, moving complex environments to the cloud doesn’t change the fact of complexity. Nor does virtualization, with all of its benefits in terms of server utilization and flexibility.
“The problem with cloud is, it’s a capacity answer that doesn’t solve the problem of complexity.” Moreover, he said, “Centralization isn’t cloud. Moving the Army’s e-mail to the cloud is centralization of a service.” That, he said, reduces one big problem, cost, but doesn’t ensure an improvement in effectiveness.
One group yet to weigh in on what it thinks should happen in the cloud is a commission formed by the Tech America Foundation. It was announced March and gave itself a three-month deadline for providing cloud recommendations to the Obama administration. The commission exists in addition to TechAmerica’s standing cloud committee, which is somewhat analogous to what the commission is supposed to do.
One thing seems certain, and that is there will be more cloud providers to meet expected federal demand. One example: Recently I spoke with Dennis Muilenburg, the president and CEO of Boeing Defense, Space and Security. He said in this interview that Boeing would invest in cloud capability as it seeks ways to compensate for future flat Defense budgets.