by clicking the arrows at the side of the page, or by using the toolbar.
by clicking anywhere on the page.
by dragging the page around when zoomed in.
by clicking anywhere on the page when zoomed in.
web sites or send emails by clicking on hyperlinks.
Email this page to a friend
Search this issue
Index - jump to page or section
Archive - view past issues
FCW : October 15, 2012
agency can save considerable time by reusing the FedRAMP assessment. Gale said only a "small delta" might exist between the security controls documented in a FedRAMP assess- ment and any additional security mea- sures an agency might require a CSP to pursue. The FedRAMP assessment pro- cess can take as long as nine months. But the actual time frame will vary depending on the CSP s technical architecture. GSA s Conrad said the typical assessment and authorization of a traditional, non-cloud federal IT system at the moderate level takes ve to nine months, depending on the size of the system and its complexity. FedRAMP of cials expect to grant the rst provisional authorization in December, she added. "Following in the crawl-walk-run philosophy of this new program, we also anticipate processing times to improve as the program matures," Conrad said. "As CSPs and agencies gain more familiarity and experience with the baseline controls, assessment timelines will also improve." The hurdles The nature of the cloud creates some obstacles to the process of assessing and testing services. Speci cally, the different cloud varieties --- IaaS, plat- form as a service and software as a ser- vice (SaaS) --- complicate the security assessment task, said Maria Horton, CEO of EmeSec. "There are some nuances and dif- ferences in the types of testing you have to conduct based on the type of deployment model," she said. EmeSec, a cybersecurity and infor- mation assurance company that pro- vides cloud security consulting, is pur- suing 3PAO accreditation. Another complication is that one vendor s cloud service might be hosted in another vendor s cloud. A SaaS appli- cation, for example, could reside on another cloud service provider s IaaS Next steps: What to expect as FedRAMP evolves FedRAMP was consciously devised as a work in progress, with feedback from early evaluations informing the later stages of the program. Here are a few areas that might see greater de nition over time. Continuous monitoring. For each type of cloud environment, of cials need to determine what controls require ongoing security checks and how frequently a cloud service provider should report results. FedRAMP s Concept of Operations document calls for the Department of Homeland Security to "develop continuous monitoring standards for ongoing cybersecurity." Cloud brokers. Some vendors work with cloud brokers, which let customers connect to different cloud service providers. FedRAMP of cials will need to explore the boundaries between brokers and service providers and determine how to certify brokers. Scalable resources. Clouds are dynamically scalable, which allows IT managers to summon additional computing resources as needed. The question for FedRAMP and its industry partners is how to properly assess the security pro le in such an ever-changing environment. offering. Nguyen said the nested aspect of cloud services means that assess- ments might need to be coordinated across multiple vendors. Those dependencies also call for an understanding of the contractual rela- tionships --- and service-level agree- ments --- among the parties, he added. Furthermore, agencies, CSPs and 3PAOs will need to deal with some degree of ambiguity in the FedRAMP guidance. For instance, the program requires agencies to work with their CSPs to assess their security posture on an ongoing basis. But the speci cs are still being determined. Gale said the FedRAMP program has yet to issue much in the way of clear guidance on which controls should be monitored and with what frequency. He said those standards will likely emerge after the rst CSP evaluations. At that point, FedRAMP of cials will have a better idea of how continuous moni- toring should work in different cloud environments. For example, Gale said agencies that use publicly accessible cloud services might want to ensure that input valida- tion and integrity checks are monitored more frequently to protect themselves against cyberattacks. Working out the details of cloud security assessment and testing is something of a learn-as-you-go exer- cise. Accordingly, FedRAMP of cials maintain open communications. "The FedRAMP ISSOs are working very closely with the CSPs to share information and discuss emerging issues," Conrad said. "At a minimum, they hold a weekly status call." Nguyen said FedRAMP recently launched a special interest group for 3PAOs. The forum brings togeth- er assessment organizations and FedRAMP of cials. "They have been very transparent and very open," Nguyen said. "This is a learning process. We re used to the old FISMA requirements, but this is a little bit different." ■ October 15, 2012 FCW.COM 29
October 30, 2012