In our last blog we discussed the coming and going of the FedRAMP (Federal Risk and Authorization Management Program) June 5 compliancy deadline for federal government agencies and CSPs (cloud service providers) who wish to secure contracts to store government data in their cloud data centers. As we have discussed in detail starting right here with our first post on the subject, FedRAMP was designed to standardize the process of getting federal government agency data into the cloud securely. And then keep the data secure every day.
In some ways it has worked. It has established a set of rules and requirements for third-party organizations (3PAOs) to get approval to certify CSPs as FedRAMP-compliant. It has also streamlined the CSP selection process for agencies and made clear to everyone what the security requirements are for government data stored in private providers’ cloud servers. The result is around a dozen CSPs offering a multitude of different cloud service packages to agencies. However, while some have gotten onboard with FedRAMP and achieved compliancy as of the deadline hitting earlier this month, many agencies have not done so.
Despite this, no penalties are currently being handed down to agencies who have failed to achieve compliancy. Instead, the Office of Management and Budget (OMB), which is tasked with enforcing compliancy, is currently reviewing which agencies did and did not meet the deadline and why the latter group failed to do so. It will spend the remainder of the summer parsing through all of the relevant data and working with agencies to reach mutually agreeable next steps.
So What Happens Now?
The General Services Administration (GSA) – yes, there a lot of government departments and acronyms involved in this thing – is in charge of overseeing FedRAMP compliancy, but OMB is the one doing the policing. Well, at least, OMB will be doing the policing. For now, it’s just doing the reviewing. As for the GSA, it says the short and sweet answer for agencies struggling to reach compliancy is for them to “Call us,” GSA Director Maria Roat told Information Week earlier this year.
Many agencies say the issue is that their preferred cloud host hasn’t achieved compliancy with the program yet. But given the growing list of approved providers, that excuse is no longer holding as much water as it once did. Still, the GSA is willing to work with non-compliant agencies to help them with the process before doling out punishments. It hasn’t even yet been made public what (if any) those punishments will be.
“Agencies may have legitimate reasons [for failing to achieve compliancy], but these requirements have been around for more than two years,” Tom McAndrew, executive VP of Coalfire Federal, which helps cloud service providers get FedRAMP-certified, explained to Information Week. Back in 2011, a more-than-two-years-old OMB memo broke down the requirements McAndrew alluded to in detail.
The point is, while these agencies may have good excuses, they’ve had a lot of time to find solutions to the issues that have been holding them back, and they still haven’t been able to fall in line. OMB has showed an astounding amount of patience in the matter, though. It has been collecting quarterly data ever since December 2011 primarily via its PorfolioStat IT investment review program to help it stay on top of the situation. The polls it has been conducting are meant to assist it in determining if agencies are doing one of the following:
- Meeting the administration’s “Cloud First” policy, which requires agencies to use cloud options when available instead of selecting other alternatives
- Meeting FedRAMP requirements, proving that a cloud service complies with the government’s minimum security standards
- Justifying why they’re not meeting federal policies
“If agencies don’t have a robust plan to address cloud and security by now, then there will likely be increased pressure on the agency managers, directors, and CIOs” about their IT investment choices, according to McAndrew. OMB, which controls agency budgets, views FedRAMP’s “certify once, use often” plans as critical for cutting back unnecessary costs previously associated with federal agency cloud security and compliance procedures that were all over the map.
What’s the Incentive to Become a CSP?
That doesn’t mean that the U.S. government isn’t willing to spend on cloud services, however. Quite to the contrary, it has $3 billion earmarked for 2015 cloud spending. Of course, it wants hosting centers to reach FedRAMP-compliancy before they get a piece of that budget, though. And achieving that status is a drawn-out, extremely comprehensive and costly process for CSPs.
But with $3 billion at stake – about five percent of the government’s total IT budget for next year – many have gotten actively involved in FedRAMP or are working towards being approved as compliant by 3PAOs. The list of current and potential vendors is long: Amazon, IBM, Hewlett-Packard, AT&T, Dell, Microsoft, Verizon, Google, Oracle, Adobe, VMware, and quite a few others.
Amazon Web Services is the brand name most government agencies have familiarized themselves with and are turning to for infrastructure-as-a-service cloud offerings. It pioneered cloud services before the cloud achieved mass popularity and now has more government customers than any other CSP out there to show for its efforts.
Experts agree that none of the currently certified FedRAMP CSPs pose a legitimate threat to Amazon’s current dominance, but VMware is expected to achieve approval by autumn, and some believe it could realistically challenge Amazon for dominance. VMware, like Amazon, is a brand name that much of the federal government knows and trusts. The successful enterprise IT service provider is now working with Carpathia Hosting to get FedRAMP-approved. Together, they’re promising agencies that their vCloud Government Service offerings will be pain-free transitions from in-house VMware data centers with cloud infrastructure that are already being used by agencies to Carpathia data centers.
What does that mean in practical terms? VMWare government clouds that are easy additions to agencies’ current networks. In other words, hybrid cloud service. Amazon Web Services isn’t in a position to compete on that level; the Citrix-based cloud it runs is incompatible with VMware’s tech. Unfortunately for the company known best for those smiling packages it ships to your doorstep, Lockheed Martin, Verizon Terremark and others are already using VMware tech for the cloud.
CSP FedRAMP Compliancy Is Not the End
But even if an increasing number of cloud hosts become FedRAMP-compliant CSPs and bring an increasingly attractive smorgasbord of service offerings to agencies, that isn’t the end. From there, agencies will have to continue working with CSPs – who will in turn be periodically checked up upon by 3PAOs – to keep things safe and secure on a daily basis. FedRAMP has measures in place aimed at ensuring that happens, but we’ll have to wait and see how they work in widespread practice over the long term.
If the whole thing is pulled off successfully in the months and years ahead, the GSA then hopes the spirit of the program spills over from government contractors to private industry. Federal CIO Steven VanRoekel envisions a world in which FedRAMP’s policies and successes help to establish widely accepted basic security guidelines for the entire computer industry. And, he hopes, it will help service providers and end users do so cost-effectively.