by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : February 2014
ate levels, so there are higher levels of security that are not covered by these authorizations," she said. "These assur- ances may not fully address privacy concerns and other subtleties of data sensitivity. As with any cloud adoption effort, agencies need to understand the information access and management requirements for the data that will be hosted on the system." An always-changing environment NIST Special Publication 800-53 was rst published in 2005. The current version, Revision 4, is the most comprehensive update since the publication was rst released, Fussell said. Only two cloud service providers had received FedRAMP approval when that version was in its nal draft stage in early 2013. The update expands the catalog of security controls from 600 to more than 850, increases the focus on secure devel- opment and continuous monitoring, and includes guidance for tailoring security to speci c requirements, Fussell said. "Of particular signi cance for FedRAMP, those additional security controls and enhancements included a number around mobile and cloud computing," she said. "There is no separate catalog for cloud security, however." Although FedRAMP imposes burdens on vendors to achieve and demonstrate compliance, it also aids them in overcoming agency managers resistance to cloud comput- ing, said Tom Ruff, vice president of Akamai s public-sector business. Akamai earned a provisional authority to operate under FedRAMP in August 2013. "When the government came up with the cloud- rst initia- tive, they were looking at not only the advantages of cloud but also the inhibitors," he said. Security has always been a signi cant hurdle for vendors seeking to convince skeptical agency managers of the ben- e ts of cloud computing. For example, as recently as last spring, when FCW parent company 1105 Media conducted a survey, 73 percent of government IT professionals believed cloud computing introduced new security vulnerabilities, while only 19 percent thought it could improve security. Once an agency s data is in someone else s hands, man- agers and CIOs tend to feel they have lost control over it because they have to trust someone else to protect it. By using FedRAMP to ensure that an approved cloud vendor meets the same security requirements established by FISMA and articulated by NIST, much of that resistance can be overcome, Ruff said. With that in mind, changes like the ones underway now are to be expected, he said. "As you try to address secu- rity in any environment, it s not a set-and-forget type of environment," he said. "Security...is an always-changing environment." The costs of certi cation However, although compliance comes with rewards, the resources involved are not trivial, Fussell said. Vendors must pay the cost involved in completing the assessments with no guarantee of securing repeat business --- or indeed any business at all. "It s a cost that some vendors, particularly small busi- nesses, need to evaluate carefully," she said. There is another wrinkle: Companies seeking authoriza- tion must nd a third-party assessment organization (3PAO) to evaluate their compliance with FedRAMP standards. That business relationship needs to be considered strategically, she said. "The FedRAMP of ce certi es these assessment orga- nizations, but they do not prescribe one to use," she said. "While this allows vendors to change assessors as war- ranted, it means industry is responsible for forming those partnerships. There is also some speculation among ven- dors about strategic differences between agency-sponsored authorizations and those issued by the FedRAMP [Joint Authorization Board]. Namely, does one better position them for competition?" Although there are no set costs, Ruff con rmed that the process is not cheap --- and it is not quick either. "It took us 13 months," he said. "It took us man-years of effort and the investment of hiring a 3PAO. Our investment was in the seven-digit investment area. I know there are other solutions out there with [Joint Authorization Board] approval that have put in signi cantly more money." Fortunately, under the forthcoming baseline update, providers that have already earned a provisional authority to operate will not have to undergo the entire assessment process again. Instead, they will have one year to imple- ment and test the new controls. Providers that are in the process of gaining approval will have a deadline by which they must comply with the new standards. That approach is in keeping with the general thrust of FedRAMP, Fussell said. "The aim of FedRAMP to shift from a one-off compliance process to ongoing security assurance highlights requirements for ongoing assess- ment and authorization," she said. "Completing a system assessment and receiving provisional authorization isn t the end of this process." ■ Technology journalist Michael Hardy is a former FCW editor. 30 February 2014 FCW.COM ExecTe c h
March 15, 2014