The recently appointed Federal Chief Information Officer, Steven VanRoekel, serving the U.S. Office of the President, has formally launched FedRAMP with a memorandum issued today called “Security Authorization of Information Systems in Cloud Computing Environments” (PDF).
Note the use of “shall”:
d. Each Executive department or agency shall:
i. Use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services;
ii. Use the FedRAMP PMO process and the JAB-approved FedRAMP security authorization requirements as a baseline when initiating, reviewing, granting and revoking security authorizations for cloud services; (For all currently implemented cloud services or those services currently in the acquisition process prior to FedRAMP being declared operational, security authorizations must meet the FedRAMP security authorization requirement within 2 years of FedRAMP being declared operational.)
iii. Ensure applicable contracts appropriately require CSPs to comply with FedRAMP security authorization requirements;
iv. Establish and implement an incident response and mitigation capability for security and privacy incidents for cloud services in accordance with DHS guidance;
v. Ensure that acquisition requirements address maintaining FedRAMP security authorization requirements and that relevant contract provisions related to contractor reviews and inspections are included for CSPs;
vi. Consistent with DHS guidance, require that CSPs route their traffic such that the service meets the requirements of the Trusted Internet Connection (TIC) program; and
vii. Provide to the Federal Chief Information Officer (CIO) annually on April 30, a certification in writing from the Executive department or agency CIO and Chief Financial Officer, a listing of all cloud services that an agency determines cannot meet the FedRAMP security authorization requirements with appropriate rationale and proposed resolutions.
FedRAMP has a different definition of security than the standard NIST Special Publication 800-53 (as amended), Recommended Security Controls for Federal Information Systems and Organizations. It also differs from the Consensus Audit Guidelines (CAG), which I explained in detail recently at the ISACA-SF conference: “Risks and Controls in Cloud Computing”, and also last June on the Focus Roundtable Podcast: “FISMA Clouds in 2011: Fact or Fiction?”. For example, look at NIST SP 800-53 moderate requirements for Configuration Management – Baseline Configuration:
| Moderate Control | 800-53R3 | CAG v2.3 | FedRAMP |
| Baseline Configuration | CM-2(1)(3)(4) | CM-2(1)(2)(4)(5) | CM-2(1)(3)(5) |
Risk Assessment – Vulnerability Scanning is another good example
| Moderate Control | 800-53R3 | CAG v2.3 | FedRAMP |
| Vulnerability Scanning | RA-5(1) | RA-5(a)(b)(1)(2)(4)(5)(6)(9) | RA-5(1)(2)(3)(6)(9) |
I mapped all 170 or so controls because I found many unaware of the deltas. I’m still using CAG 2.3 but 3.0 was released a couple months ago. The theory, of course, is that the list of controls selected for FedRAMP is based on a risk model/assessment specific to cloud. The memo basically applies to all things cloud in the U.S. Federal space.
This memorandum is applicable to:
a. Executive departments and agencies procuring commercial and non-commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies, including systems provided or managed by other departments or agencies, contractors, or other sources;
b. All cloud deployment models (e.g., Public Clouds, Community Clouds, Private Clouds, Hybrid Clouds) as defined by NIST; and
c. All cloud service models (e.g., Infrastructure as a Service, Platform as a Service, Software as a Service) as defined by NIST.
And it gives four deadlines:
- 30 days – CIO Council will publish the FedRAMP security controls derived from NIST SP 800-53
- 60 days – concept of operations (CONOPS) will be published
- 90 days – security experts appointed from the DHS, DOD, and GSA will publish a charter with governance model
- 180 days – FedRAMP PMO will provide FedRAMP operational capability
It looks to me as though “currently implemented cloud services or those services currently in the acquisition process” are being granted two and a half years before they shall use FedRAMP as described in this memo. In other words, Federal agencies have 180 days to start acquiring cloud services (to qualify for the two year exception) or cloud services acquired after June 2012 shall use FedRAMP.