Slow Progress, but Progress Nonetheless | Citizens Against Government Waste

Slow Progress, but Progress Nonetheless

The WasteWatcher

On May 21, 2013, the General Services Administration (GSA) announced the approval of Amazon Web Services as an authorized cloud service provider for the federal government under the Federal Risk and Authorization Management Program (FedRAMP).  The Department of Health and Human Services (HHS) submitted the application for Amazon Web Services to receive its provisional authority to operate (P-ATO).  This approval is the third such authorization completed through the FedRAMP process.

The FedRAMP program is suppose to streamline security certifications of cloud service providers to the federal government.  GSA calls the FedRAMP process a “do once, use many times” framework for cloud security certification, with the expectation that the process will reduce the amount of time spent on individual risk assessments by various agencies.  As reported in a previous blog post, the FedRAMP authorization process continues to move slowly.  GSA had set a goal of certifying the first three vendors by the end of 2012.  It is now mid-May 2013, and the third vendor has only just received authorization.  GSA certified Autonomic Resources in December 2012 and CGI in February 2013.  There remain over 80 applications in the queue waiting to be processed.

At a May 14, 2013 House Oversight and Government Reform Government Operations Subcommittee hearing, concerns were raised over the lengthy process for FedRAMP’s certification process.  However, witnesses commented that while the time to process the applications is long, FedRAMP is breaking new ground, providing a new process for ensuring security in the cloud.  By June 2014, all cloud services suppliers will be required to prove they meet the standard set of risk controls as defined by FedRAMP.

Even with the FedRAMP certification, some federal agencies will seek additional security information from cloud vendors before certifying them for their particular needs.  As pointed out in a January 16, 2013 article by Doug Miller of Milltech Consulting, it is important to understand that FedRAMP P-ATOs only address low to moderate risk levels.

While most federal agencies will be able to use FedRAMP’s provisional authority to operate as a baseline for their own security certification processes, some will still need to perform additional tests to address any high risk level requirements.