The Macrosite for News, Analysis and Opinion about the Future of the Internet
Kim Davis

The Government's Cloud Security Program

Written by Kim Davis
1/11/2012 6 comments
no ratings
DISCUSS     Email This

The federal government has been keeping a few balls in the air over the last few months.

On the one hand, there's the drive by the former and current federal CIOs, Vivek Kundra and Steven VanRoekel, to migrate government agencies to the cloud. On the other hand, there's the reluctance of departments like State and Defense to expose their networks to the perceived vulnerabilities of the cloud. And underlining those concerns is a distinctly lukewarm appraisal of cloud security by the National Institute of Standards and Technology.

This week, reports suggest that the government has at least tried to come to grips with these problems through the deployment of a new acronym -- sorry, plan: FedRAMP. The Federal Risk and Authorization Management Program is designed to vet the security of vendors providing cloud platforms for government agencies.

The main FedRAMP prongs are standardized assessment, joint authorizations, and continuous monitoring, all of which -- and especially the last -- seem like good ideas. The NIST will serve as the program's technical adviser.

So much for the bare bones. Where's the meat? You'll find it in this downloadable zip file, which contains a detailed Excel spreadsheet setting out 170 "controls and enhancements" that cloud services must put in place to qualify as government providers. There's a brief overview, too, that rewards careful reading.

The controls promulgated here are designed for "systems designated at the low and moderate impact information systems as defined in the Federal Information Processing Standards (FIPS) Publication 199" (sic). I went and looked it up, and according to FIPS 199:

The potential impact is HIGH if --
- The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

A "catastrophic adverse effect" is further defined as an agency's inability to perform a primary function, major financial loss, or loss of life. On its face, then, this initiative doesn't rise to the level of ensuring the security of systems of any real importance or sensitivity. Maybe it's good enough to cover Department of Agriculture emails?

I found dipping into the spreadsheet an unedifying experience. To all appearances, there are no requirements for parameters like audit storage capacity, identification and authorization of non-organizational users, incident monitoring, control of output devices... and the list goes on. This all seems so counterintuitive that we should assume I am missing something.

According to the CIO.gov blog, these controls are indeed intended as no more than a baseline, to which departments can add their own customized requirements. Even so, it has the look and feel of a work in progress.

The aim of implementing a standard authorization program, rather than having departments and agencies conduct their own, mutually inconsistent, assessments, is laudable. It's good, too, to see some detail, however sketchy, of what the program will involve. So far, though, these really are baby steps.

— Kim Davis Follow me on TwitterVisit my LinkedIn pageFriend me on Facebook, Community Editor, Internet Evolution
DISCUSS     Email This
Current display:       newest comments first       display in chronological order
Kim Davis
Thinkernetter
Wednesday January 11, 2012 4:04:01 PM
no ratings

The thing which you can easily miss in the press releases is that it doesn't even attempt to deal with the sort of "high impact" information which State and Defense doubtless think constitutes most of their workload.  It's as if the process set aside really confidential material as too difficult at this stage.

Bolingbroke
IQ Crew
Wednesday January 11, 2012 3:46:06 PM
no ratings

It's not unheard of that maybe Defense and State have somehow diluted this report enough so that it is dead on a arrival therfore allaying any real possibility their stuff will ever see the cloud anytime soon.

Mary Jander
Thinkernetter
Wednesday January 11, 2012 2:44:47 PM
no ratings

Sounds like an exercise in rhetoric, Kim. I'm skeptical of any progress on this front. Perhaps various agencies are more concerned about their budgets being continued than about conforming to this blurry spec.

Kim Davis
Thinkernetter
Wednesday January 11, 2012 2:18:09 PM
no ratings

It's not at all clear, Jerry.  In fact, there's very little that's clear for anyone who actually digs beyond the press releases.  It sound like they're doing something, but it doesn't seem to be much.

Nicole Ferraro
IQ Crew
Wednesday January 11, 2012 1:56:20 PM
no ratings

So this effort basically requires agencies to exercise a basic level of understanding about cloud security, yes? Unless I'm reading wrong. This "plan" sounds rather thin -- something to appease the naysayers but not really regulate security.

Jerry Bishop
Thinkernetter
Wednesday January 11, 2012 1:55:14 PM
no ratings

You have to wonder how the OMB support, and that of other agencies, for the use of third party credentials fits into this view on cloud security.

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Security Clan Editor's Blog
Kim Davis
Kim Davis   5/21/2013   13 comments
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
Kim Davis
Kim Davis   5/15/2013   13 comments
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
Kim Davis
Kim Davis   5/8/2013   14 comments
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Kim Davis
Kim Davis   5/1/2013   41 comments
If you were concerned about Twitter handing over your private data to the government, think again.
Kim Davis
Kim Davis   4/24/2013   18 comments
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
5
of
Beau Brendler
Terrorism Expert Says US Gave Away Stuxnet Tech
4|4|12   |   3:29   |   9 comments

US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
what.the.ferraro
CMAS Alert! Something's Wrong! Or Not!
11|2|11   |   03:18   |   27 comments

If you have a CMAS-enabled handset, be prepared to receive scary alerts from the government.
Wisdom of the Big Chair
Big Brother Is Watching the Web
10|19|11   |   2:57   |   6 comments

The US government is funding controversial projects to collect daily Internet activity, including Web searches, Twitter messages, Facebook and blog posts, and the digital location trails generated by billions of cellphones. Its goal is to map these interactions to predict social behavior, such as protests.
Wisdom of the Big Chair
Facial Recognition Looms on the Horizon
7|27|11   |     |   4 comments

Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
Sweeney Blog
Financial Services Awaken to Cloud Computing
11|23|09   |   2:13   |   1 comment

The sooner purveyors of cloud computing services can pass muster, security-wise, with financial services companies, the sooner cloud computing will really go mainstream.
Steve Saunders' Outernet
The Death of Anonymity: Part 4
Part 4 of 4   |   See complete series
10|29|09   |   1:40   |   8 comments

In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
Steve Saunders' Outernet
The Death of Anonymity: Part 3
Part 3 of 4   |   See complete series
10|28|09   |   1:35   |   4 comments

What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
Steve Saunders' Outernet
The Death of Anonymity: Part 2
Part 2 of 4   |   See complete series
10|27|09   |   2:08   |   9 comments

By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
Steve Saunders' Outernet
The Death of Anonymity: Part 1
Part 1 of 4   |   See complete series
10|26|09   |   1:29   |   13 comments

The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
Full Nelson
The New Cyber War
10|8|09   |   3:06   |   4 comments

Cyber Warfare may be the next frontier for tactical hacking. It has already reared its head in Estonia, Russia, and Georgia, and some say it has been used by North Korea, China, and other world powers. The implications and the potential are both fascinating and scary.
IETV: the thinkerNet on film
5
of
Kim Davis
Big-Data Can’t Always Sell Wine
5|21|13   |   2:23   |   4 comments

Whole Foods Global Wine Purchaser Doug Bell told me about some of the constraints on using analytics in the US wine market.
Paul J. Fleuranges
Digital Signage Keeps NYC Subway Straphangers on Track
5|6|13   |   3:51   |   No comments

New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Kim Davis
Fast Forward to the Future
4|23|13   |   2:29   |   20 comments

A look back at tech writing in the 90s makes us wonder where enterprise IT will be 20 years from now.
Mitch Wagner
Google Launches Its Most Depressing Service Yet
4|15|13   |   2:59   |   10 comments

Google's new Inactive Account Manager lets you control how Google disposes of your accounts when you die.
Second Shooter
Argument Over Top-Level Domains Is 'Stupid'
4|11|13   |   2:07   |   3 comments

The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Kim Davis
Ladies, Your Tablet Awaits
3|21|13   |   2:22   |   37 comments

ePad Femme is the world’s first tablet “made exclusively for women.”
Wisdom of the Big Chair
NFC Moves Into the Mainstream
3|20|13   |   2:16   |   No comments

While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Wisdom of the Big Chair
Integrating Security Into Your Cloud Contract
3|19|13   |   3:35   |   No comments

Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Brian Baron
How Edmunds.com Collects Customer Information
3|18|13   |   1:15   |   No comments

Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Brian Baron
How Edmunds.com Uses Analytics to Customize Site
3|14|13   |   0:47   |   No comments

The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
an IBM information resource
sponsored content
big blue blog
Todd Watson
an IBM information resource
sponsored content
Expert Integrated Systems: Changing the Experience & Economics of IT
In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Keep Critical Data With a Knowledge Management System
Taimoor Zubair
Fortune 500 companies lose at least $31.5 billion a year by failing to share knowledge. A Knowledge Management System (KMS) can help companies significantly reduce these costs.
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
Is Your Site .Com or .Irrelevant?
Dan Cypra
Businesses often struggle to decide which domain to use. When it comes to purchasing a domain name, you have plenty of extensions to choose from, ranging from .com and .net, to .me, and even .mobi. But which one should you pick?
CLICK FOR MORE
IT Helps Companies Find the Water
Matt Heusser
I've been writing about how the next evolution of the Internet might just be an advertising revolution, and how corporate IT can stay involved as the enablers and providers of the technologies that make this possible.
CLICK FOR MORE
Is Your Site .Com or .Irrelevant?
Dan Cypra
Businesses often struggle to decide which domain to use. When it comes to purchasing a domain name, you have plenty of extensions to choose from, ranging from .com and .net, to .me, and even .mobi. But which one should you pick?
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
Is Your Site .Com or .Irrelevant?
Dan Cypra
Businesses often struggle to decide which domain to use. When it comes to purchasing a domain name, you have plenty of extensions to choose from, ranging from .com and .net, to .me, and even .mobi. But which one should you pick?
CLICK FOR MORE