From: BankInfoSecurity
Environmental Protection Agency Leverages FedRAMP Process
By Eric Chabrow
The Environmental Protection Agency earlier this year transitioned more than 22,000 e-mail users to Office 365 for Government, a cloud service from Microsoft that hosts productivity applications.
I wanted to interview an EPA IT security official to get his or her thoughts on cloud computing, believing the lessons learned from the Office 365 project as well as other initiatives would be of interest to our readers.
It’s not unusual for a government agency or business to decline our request, which is what the EPA did, although many other organizations do grant interviews. However, the EPA agreed to answer questions submitted by e-mail. Typically, e-mail responses to questions have a name behind them. Not so this time; the agency requested that answers be attributed to EPA. So be it, at least in this one instance.
What’s on the Cloud?
Information Security Media Group: What types of data, applications and infrastructure are being moved to the cloud by the EPA?
EPA: EPA’s initial focus on cloud services has been in the areas of infrastructure services and productivity platforms. EPA’s first three cloud moves established: Managed Trusted Internet Connection Services [a federal initiative to enhance security by limiting gateways to the Internet] through AT&T for EPA’s edge security services; enterprise call center services through CGI for technical support and call management; and enterprise web conferencing through Connect Solutions.
In February, we transitioned over 22,000 e-mail users to a cloud solution engineered by Lockheed Martin and Microsoft. With the Lockheed/Microsoft solution, EPA establishes an enterprise e-mail and collaboration solution based on Office 365, Lync and SharePoint. EPA also awarded a contract with CGI for cloud-based infrastructure-as-a-service platforms to support custom applications and we are working with CGI to integrate this offering to support our shared services application platforms.
Data, Apps Sensitivity
ISMG: What types of data, applications and infrastructure would the EPA not move to the cloud?
EPA: EPA has not made a class-based determination to exclude data or applications from cloud services. Cloud services and security are evolving rapidly. Cloud suitability must be assessed in the specific context of the application and consider data sensitivity, the specific control framework offered by a cloud solution and the cost benefit of the solution. However, our initial focus has been on low and moderate sensitivity applications.
ISMG: Who’s involved at the EPA in deciding what data, applications and infrastructure should or should not be moved to the cloud?
Application suitability assessment is a collaborative effort involving our application owners, infrastructure operations teams, information security officials and authorizing officials.
Assessing Cloud Security
ISMG: What security measures do you take before, during and after moving data, applications and infrastructure to the cloud?
EPA: To scope the answer, we’ll consider this question from the perspective of focusing on the cloud provider.
Before we move information or obtain services, we verify the provider can meet our information security control requirements. To do that, we leverage provisional authorizations granted by the Joint Authorization Board under FedRAMP [the Federal Risk and Authorization Management Program is a federal initiative to vet the security provided by cloud providers] as well as authorizations supported by security assessment packages that meet FedRAMP requirements as much as possible.
Leave a Reply