FedRAMP in the News: Getting a Handle on Cloud Procurement

Earlier this month, Federal CIO Steve VanRoekel officially launched FedRAMP – a program designed to provide a cost-effective, risk-based approach for the adoption and use of cloud services by U.S. government agencies. A major focus of FedRAMP is to establish a standardized approach for evaluating and approving cloud products and services across agencies. The government’s current practice is for each agency to go through multiple steps, which takes anywhere from six to 18 months, to assess and authorize the security of a system before granting authority to transition to the cloud.

Initial FedRAMP operational capability is required within the next six months, at which time all federal agencies are expected to use FedRAMP before acquiring cloud-based services and to require vendors to comply with the program’s standards. The government estimates that allowing all departments and agencies to share security assessments will save 30-40% of the cost of assessing, authorizing, and continuously monitoring cloud-based IT systems. And more importantly, it will apply consistent security and risk management standards to cloud services deployed by the federal government.

Looking at this from the point of view of the private sector, a couple of thoughts struck me:

  • Enterprises have a similar, though smaller scale, set of cloud adoption issues as the U.S. government does. In the past year, I’m guessing that the average enterprise negotiated dozens of procurement agreements for cloud computing services, ranging from licensing SaaS applications to buying compute time using a personal credit card. The very nature of “on-demand” cloud computing lends itself to this decentralized, self-service procurement. But as we all know, there are very real risks here. As cloud adoption becomes even more prevalent in enterprise environments, I think we’ll see more organizations adopting their own cloud adoption programs to ensure consistent vendor risk management, conformance to security and risk management policies, and to avoid the inefficiencies and waste of decentralized cloud procurement.
  • Perhaps more importantly, our industry is in dire need of a workable set of standards for service assurance of cloud providers. It’s much too difficult for enterprises to assess security and compliance practices of service providers. Because the enterprise remains ultimately responsible for the security and integrity of data and applications deployed in the cloud, most enterprises will do their own due diligence before fully adopting cloud technology for critical business applications (SAS-70 is not enough). But without meaningful cloud compliance standards or certifications, it requires an arsenal of auditors to assess service provider practices and lawyers to negotiate contractual protections. There is frankly too much cost and risk in adopting cloud computing for critical applications, with the result that most enterprises will not make the move any time soon.

FedRAMP for enterprises, anyone?