Cloud First, US Gov Style (FedRAMP)

“Cloud first” is an approach I’ve heard articulated as a means to delivering on business objectives.  The policy I’ve heard has referenced if not been predicated on the fact that the US government is implementing this policy in their federal agencies.

My first thought: how is the government accomplishing such a presumably agile, flexible and secure solution before commercial businesses.

It seems like a good place to take a look at how rapidly the federal government is embracing this strategic plan.

I went to the General Services Administration’s (GSA) FedRAMP site.

From this site I read the About FedRAMP, the FedRAMP process, federal agencies, approved Cloud Service Providers (CSPs) and Third Party Assessment Organizations (3PAOs).

One of the best documents to outline the process of becoming either a 3PAO (an agency that reviews the security of CSPs) or a CSP (an online service provider of cloud services that a federal agency wants to consume/use) was the FedRAMP Concept of Operations or CONOPS.  This 49 page document details the requirements, forms and processes defined for a CSP to be approved before any federal agency can authorize the service with an Authority To Operate (ATO) as a CSP for a specific federal agency.

Since FedRAMP went operational in 2012 the federal government has approved only 20 agencies as 3PAOsfive agencies  with the first stage Provisional Authority To Operation and only one agency as an actual CSP with full ATO.

For any who think the federal adoption of cloud services is a predicate for rapid adoption of secure cloud usage, consider that in 18 months* of a stated federal policy only one agency, Amazon Web Services, has been approved and adopted.  At this point, any individual federal agency that wishes to use the AWS now must evaluate the general controls imposed on AWS by FedRAMP officials and the selected 3PAOs and, where needed, that agency must impose its own, stricter controls on AWS.

The US federal “cloud first” policy isn’t solely a mandate to get into the cloud quickly; it is a mandate to utilize appropriate controls and many agencies (both federal and 3rd party) to evaluate the risks and ensure that they’re mitigated to an acceptable level.  NIST updated SP 800-53 from rev 3 (published in 2009) to rev 4 (published in April 2013).  FedRAMP similarly published its own Baseline Security Controls January 6, 2012.

A framework for security is a step for any agency (federal, state, local or commercial) that wants to responsibly move its processing and data to the cloud.  The more regulated, the more the brand depends on the trust of the customer the more the agency should vet the risks inherent in cloud computing and apply appropriate controls by design and not as an afterthought.

* 18 months – Office of Management & Budget (OMB) issued a Policy Memo as the initiator of FedRAMP as the overarching federal requirement for preferring cloud services.