Our organization, (ISC)² recently participated in the IT Acquisition Advisory Council’s 40th IT-AAC Leadership Roundtable, where high-level cloud stakeholders came together to discuss cloud security, FedRAMP and beyond.
Although I was unable to engage live in the roundtable discussion, I do have some thoughts for government officials to consider as they address the many complexities of securing an initiative that holds more promise for the federal government than any other IT innovation in decades — the cloud.
First, I’d like to congratulate GSA for its efforts in standing up the FedRAMP program and for taking an important first step in fostering the secure adoption of cloud computing by the federal government through the development of FedRAMP’s baseline security controls.
While I have great confidence in the long-term impact of this program, there appears to be widespread concern that administering the security controls will be a significant challenge. After all, strategy and planning are the easy parts –it’s the execution of security processes that’s difficult.
After my initial review of the controls, the following considerations came to mind as something government must consider as it moves into the next phase of FedRAMP concept development:
- The administration of FedRAMP security controls will be a significant problem. The bureaucracy factor and its potential impact on progress must be addressed.
- The FedRAMP governing boards are composed solely of a small representation of feds. The initiative would benefit by external input, which would provide a greater level of legitimacy and credibility. This would also encourage use of sound principles beyond just the U.S. Government.
- Similar to other federal initiatives, a sanctioned advisory board consisting of a broader pool of experts would help bring greater focus and ultimately take FedRAMP to the next level of effectiveness.
- Missing from FedRAMP’s ISO reference is a reference to ANSI/ISO/IEC 17024, which lays the ground rules for certification and validation of people. Our 2011 Global Information Security Workforce Study cites a need for more education to overcome a significant and potentially dangerous gap that exists between the goals of CISOs and the security skills required to protect cloud services effectively. Qualified people cannot be overlooked in the cloud security equation.
- Develop a plan for existing cloud systems. So many government systems are legacy and are not amenable to immediate transport to the cloud. Before tossing an existing system into the cloud, agencies must be required to re-engineer. A system that gets launched in the cloud should have passed a test demonstrating a successful system re-engineering and tested for portability.
- Cloud migration provides an opportunity to modernize. Agencies should consider to what extent they should invest before moving to the cloud?
- How will FedRAMP address those factors that limit successful cloud transformation, such as the cost of security, how to define the skills/experiences required to effectively safeguard agency data and systems in a cloud environment, what type of education, training and certification programs are available for security officials needing to train staff, and how can managers evaluate those programs to ensure that they deliver the necessary skills and abilities?
- Carefully written service level agreements are needed to make the use of continuous monitoring visible. Continuous monitoring is an important component of system administration. It will be too easy to sign the contract and forget, especially when the people previously administering the systems are swept away in the efficiency gains.
All this being said, I am encouraged by FedRAMP’s baseline security controls and FedRAMP’s potential to assist agencies in effectively and securely migrating to the cloud.
Further, I praise the IT-AAC organization for bringing together the leaders and stakeholders responsible for day-to-day cloud strategy and implementation and for recognizing the importance of combining a ‘benefits’ mindset with a “security” mindset.
W. Hord Tipton is executive director of (ISC)2 , the world’s largest non-profit body for certifying information security professionals; he is also the former Chief Information Officer of the U.S. Department of Interior and recipient of the President’s Distinguished Rank Award. He writes regularly for Breaking Gov and serves on its board of editorial advisors.