by clicking the arrows at the side of the page, or by using the toolbar.
by clicking anywhere on the page.
by dragging the page around when zoomed in.
by clicking anywhere on the page when zoomed in.
web sites or send emails by clicking on hyperlinks.
Email this page to a friend
Search this issue
Index - jump to page or section
Archive - view past issues
FCW : October 15, 2012
ExecTe c h 28 October 15, 2012 FCW.COM ment organizations that were working with FedRAMP. The idea is to "eliminate the subjec- tivity of different assessors to make it an objective exercise," Nguyen added. In another expected plus, FedRAMP offers a repeatable security assess- ment process that could save time and money. Instead of having a cloud service provider (CSP) undergo an assessment for each potential agency customer, FedRAMP lets a provider go through one evaluation that can be used multiple times. FedRAMP of cials plan to compile a library of security-tested cloud services that agencies can access. "The main idea here is that once you have FedRAMP certification, in theory and hopefully in practice, another agency will accept FedRAMP and you don t have to go through the certi cation process each time with a different agency," said Steve Vinsik, vice president of global security solu- tions at Unisys. Unisys plans to have its cloud serv- ices certi ed through FedRAMP but has not yet initiated the process, he added. A streamlined security approach would presumably help agencies adopt cloud services more quickly, but it could bring another bene t in the form of cost savings. Although prices vary, security audits can cost $40,000 to $100,000, said Prenston Gale, director of information security at Dynamics Research Corp., another FedRAMP 3PAO. The fundamentals FedRAMP doesn t represent a huge departure from other security assess- ments, at least in terms of its foun- dation. FedRAMP s baseline require- ments follow the security controls listed in the National Institute of Standards and Technology s Special Publication 800-53, "Recommended Security Controls for Federal Infor- mation Systems and Organizations," which also backs Federal Information Security Management Act (FISMA) reviews. Furthermore, FedRAMP s security assessment process maps to NIST SP 800-37, "Guide for Applying the Risk Management Frame- work to Federal Infor- mation Systems." "The controls in place and the pro- cess are very similar to what we would already need to do from a FISMA certi- cation perspective," Vinsik said. However, FedRAMP of cials have enhanced some of the NIST con- trols to make them more pertinent to the cloud environ- ment. Consequently, FedRAMP provides "a centralized con- sensus for what con- trols should look like and what cloud enhancements are necessary," Gale said. To test itself against those controls, a CSP submits a request to the FedRAMP of ce to get the review process started. The of ce prioritizes the requests, with infrastructure-as-a-service providers taking precedence. When a provider s turn comes up, the of ce assigns an information sys- tems security officer (ISSO) as the point person for guidance on deploy- ing security controls and following the assessment steps. After deploying the necessary controls, the CSP documents those measures in a system security plan that goes to the ISSO for review and, eventually, to the Joint Authori- zation Board for approval. The board consists of the CIOs from GSA, DHS and DOD. The next step involves an indepen- dent assessment of the CSP s controls. That s where the 3PAOs come in. The assessment organi- zations examine the provider s controls and match them to the FedRAMP guidelines. Vinsik said the 3PAOs help providers uncov- er gaps that would prevent them from obtaining FedRAMP certi cation. The board nalizes the security assess- ment and grants a provisional authori- zation if it deems the CSP s security stance to be suf cient. The documentation supporting those authorizations will be housed in a FedRAMP repository for other agen- cies to use. An agency planning to buy a cloud service must make the final decision on whether to grant a provid- er an authorization to operate, but the A streamlined security approach would presumably help agencies adopt cloud services more quickly, but it could bring another bene t in the form of cost savings. " " FedRAMP Accredited 3PAOs BrightLine COACT Coal re Systems Department of Transportation Enterprise Service Center Dynamics Research Corp. Earthling Security Electrosoft Services Homeland Security Consultants J.D. Biggs and Associates Knowledge Consulting Group Logyx Lunarline Secure Info SRA International Veris Group
October 30, 2012