According to an article on Nextgov, the General Services Administration (GSA), which manages the FedRAMP federal cloud project, is
still figuring out how to compel real-time information sharing between private companies and agencies. With cloud computing, departments essentially outsource their IT to a commercial data center over which they have no control.
Nextgov also reports that GSA is moving ahead with FedRAMP certifications despite not having in place an essential component of cyber security for cloud computing — real time automated continuous monitoring (ISCM). Should GSA actually certify cloud vendors for federal IT business without their having all the necessary continuous monitoring requirements and procedures in place, security of the FedRAMP clouds could be compromised along with federal IT security and the national interest.
Despite the absence of guidance on automated surveillance, FedRAMP is anticipated to grant its first certifications by the end of December, GSA and the department’s hired auditors said this week.
It’s not only security but also FedRAMP cost savings that are threated by GSA’s apparent rush to certify cloud vendors. One of the great advantages of continuous monitoring to allow agencies to move away from the expensive and often despised manual reporting currently required under FISMA by moving to more cost and security effective automated reporting. GSA is reported to be moving ahead with FedRAMP while delaying the automated reporting that is a source of savings — presenting agencies with a worst-of-all-worlds possibility, migrating to a cloud while still having to conduct manual reporting.
At the outset, companies will report on security controls periodically through manual reporting, GSA officials said. Homeland Security and GSA will provide a detailed roadmap for instituting data feeds, as both FedRAMP and continuous monitoring, in general, mature, they said.
In short, GSA appears, based on the news story, to be risking the substantial economic and security promises of the FedRAMP program in order to save a bit of time. Federal cloud computing needs to be done right or it should not be done at all. GSA must not allow its haste in implementing FedRAMP to in any way compromise the cyber security and economic advantages of the program.
It should be noted that GSA is not the agency responsible for continuous monitoring of cloud systems under FedRAMP. The CIO memo authorizing FedRAMP, “Security Authorizations of Information Systems in Cloud Computing Environments” (2011-12-08),stipulated DHS is responsible for:
ii. Coordinating cybersecurity operations and incident response and providing appropriate assistance;
iii. Developing continuous monitoring standards for ongoing cybersecurity of Federal information systems to include real-time monitoring and continuously verified operating configurations;
Mr. Philpott is correct that GSA is not responsible for setting continuous monitoring requirements. As the lead agency managing FedRAMP, however, GSA is responsible for ensuring that all security controls are in place by vendors prior to certifying them for FedRAMP.