The federal government has been keeping a few balls in the air over the last few months.
On the one hand, there's the drive by the former and current federal CIOs, Vivek Kundra and Steven VanRoekel, to migrate government agencies to the cloud. On the other hand, there's the reluctance of departments like State and Defense to expose their networks to the perceived vulnerabilities of the cloud. And underlining those concerns is a distinctly lukewarm appraisal of cloud security by the National Institute of Standards and Technology.
This week, reports suggest that the government has at least tried to come to grips with these problems through the deployment of a new acronym -- sorry, plan: FedRAMP. The Federal Risk and Authorization Management Program is designed to vet the security of vendors providing cloud platforms for government agencies.
The main FedRAMP prongs are standardized assessment, joint authorizations, and continuous monitoring, all of which -- and especially the last -- seem like good ideas. The NIST will serve as the program's technical adviser.
So much for the bare bones. Where's the meat? You'll find it in this downloadable zip file, which contains a detailed Excel spreadsheet setting out 170 "controls and enhancements" that cloud services must put in place to qualify as government providers. There's a brief overview, too, that rewards careful reading.
The controls promulgated here are designed for "systems designated at the low and moderate impact information systems as defined in the Federal Information Processing Standards (FIPS) Publication 199" (sic). I went and looked it up, and according to FIPS 199:
The potential impact is HIGH if --
- The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
A "catastrophic adverse effect" is further defined as an agency's inability to perform a primary function, major financial loss, or loss of life. On its face, then, this initiative doesn't rise to the level of ensuring the security of systems of any real importance or sensitivity. Maybe it's good enough to cover Department of Agriculture emails?
I found dipping into the spreadsheet an unedifying experience. To all appearances, there are no requirements for parameters like audit storage capacity, identification and authorization of non-organizational users, incident monitoring, control of output devices... and the list goes on. This all seems so counterintuitive that we should assume I am missing something.
According to the CIO.gov blog, these controls are indeed intended as no more than a baseline, to which departments can add their own customized requirements. Even so, it has the look and feel of a work in progress.
The aim of implementing a standard authorization program, rather than having departments and agencies conduct their own, mutually inconsistent, assessments, is laudable. It's good, too, to see some detail, however sketchy, of what the program will involve. So far, though, these really are baby steps.
— Kim Davis , Community Editor, Internet Evolution