White House Sets Security Requirements for Federal Cloud Providers
Modernizing Authentication — What It Takes to Transform Secure Access
The federal government has launched an assessment and monitoring program under which cloud providers have to commit to a certain level of security before being allowed to work with the government.
The Federal Risk and Authorization Management Program (FedRAMP) establishes a baseline of security requirements for government contractors interested in providing the federal government with cloud services, the Office of Management and Budget said Dec. 8. Over two years in making, the finalized FedRAMP is a "first step" toward securing cloud environments, according to Federal CIO Steven VanRoekel.
The federal government spends hundreds of millions of dollars securing its IT systems, and much of the tasks are "duplicative, inconsistent and time consuming," according to VanRoekel. FedRAMP's "do once, use many times" framework will save money, time and staff required to conduct security assessments, he said. VanRoekel estimated there will be a 30 percent to 40 percent cost savings for the government while securing cloud services under FedRAMP.
"FedRAMP enables agencies to deploy cloud technologies, while realizing efficiencies of scale to substantially reduce costs and transition time," he wrote on the White House blog.
Starting in June, all federal agencies must use FedRAMP when evaluating and purchasing "commercial and non-commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies," according to a memo from VanRoekel. The requirement covers systems that are provided or managed by other departments or agencies, contractors, or other sources, VanRoekel added. Because vendors will already be certified under FedRAMP, agencies will be able to move through the procurement process more easily and cheaply.