Welcome!

Government Cloud Authors: Pat Romanski, Elizabeth White, Dana Gardner, Liz McMillan, Gopala Krishna Behara

Related Topics: @CloudExpo, Containers Expo Blog, Government Cloud

@CloudExpo: Blog Feed Post

FedRAMP Ramps Up

Recently, the GSA released a list of nine accredited third-party assessment organizations

On June 6th, the Federal Risk and Authorization Management Program, the government’s cloud security assessment plan known as FedRAMP will begin accepting security certification applications from companies that provide software services and data storage through the cloud.  On Monday, GSA issued a solicitation for cloud providers, both commercial and government, to apply for FedRAMP certification.  FedRAMP is the result of government’s work address security concerns related to the growing practice of cloud computing and  establishes a standardized approach to security assessment, authorizations and continuous monitoring for cloud services and products.  By creating industry-wide security standards and focusing more on risk management, as opposed to strict compliance with reporting metrics, officials expect to improve data security as well as simplify the processes agencies use to purchase cloud services, according to Katie Lewin, director of the federal cloud computing program at the General Services Administration.

As both the cloud and the government’s use of cloud services grew, officials found that there were many inconsistencies to requirements and approaches as each agency began to adopt the cloud.  FedRAMP’s goal is to bring consistency to the process but also give cloud vendors a standard way of providing services to the government.  And with the government’s cloud-first policy, which requires agencies to consider moving applications to the cloud as a first option for new IT projects, this should streamline the process of deploying to the cloud.  This is an ‘approve once, and use many’ approach, reducing the cost and time required to conduct redundant, individual agency security assessment.

Recently, the GSA released a list of nine accredited third-party assessment organizations—or 3PAOs—that will do the initial assessments and test the controls of providers per FedRAMP requirements. The 3PAOs will have an ongoing part in ensuring providers meet requirements.

FedRAMP provides an overall checklist for handling risks associated with Web services that would have a limited, or serious impact on government operations if disrupted.  Cloud providers must implement these security controls to be authorized to provide cloud services to federal agencies.  The government will forbid federal agencies from using a cloud service provider unless the vendor can prove that a FedRAMP-accredited third-party organization has verified and validated the security controls.  Once approved, the cloud vendor would not need to be ‘re-evaluated’ by every government entity that might be interested in their solution.  There may be instances where additional controls are added by agencies to address specific needs.

Independent, third-party auditors are tasked with testing each product/solution for compliance which is intended to save agencies from doing their own risk management assessment.  Details of the auditing process are expected early next month but includes a System Security Plan that clarifies how the requirements of each security control will be met within a cloud computing environment. Within the plan, each control must detail the solutions being deployed such as devices, documents and processes; the responsibilities of providers and government customer to implement the plan; the timing of implementation; and how solution satisfies controls. A Security Assessment Plan details how each control implementation will be assessed and tested to ensure it meets the requirements and the Security Assessment Report explains the issues, findings, and recommendations from the security control assessments detailed in the security assessment plan.  Ultimately, each provider must establish means of preventing unauthorized users from hacking the cloud service.

The regulations allow the contractor to determine which elements of the cloud must be backed up and how frequently. Three backups are required, one available online.  All government information stored on a provider’s servers must be encrypted.  When the data is in transit, providers must use a "hardened or alarmed carrier protective distribution system," which detects intrusions, if not using encryption.  Since cloud services may span many geographic areas with various people in the mix, providers must develop measures to guard their operations against supply chain threats.  Also, vendors must disclose all the services they outsource and obtain the board’s approval to contract out services in the future.

After receiving the initial applications, FedRAMP program officials will develop a queue order in which to review authorization packages.  Officials will prioritize secure Infrastructure as a Service (IaaS) solutions, contract vehicles for commodity services, and shared services that align with the administration’s Cloud First policy.

F5 has an iApp template for NIST Special Publication 800-53 which aims to make compliance with NIST Special Publication 800-53 easier for administrators of BIG-IPs.  It does this by presenting a simplified list of configuration elements together in one place that are related to the security controls defined by the standard. This makes it easier for an administrator to configure a BIG-IP in a manner that complies with the organization’s policies and procedures as defined by the standard.  This iApp does not take any actions to make applications being serviced through a BIG-IP compliant with NIST Special Publication 800-53 but focuses on the configuration of the management capabilities of BIG-IP and not on the traffic passing through it.

ps

Resources:

Technorati Tags: F5, federal government, integration, cloud computing, Pete Silva, security, business, fedramp, technology, nist, cloud, compliance, regulations, web,internet

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1] o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]


Read the original blog entry...

More Stories By Peter Silva

Peter is an F5 evangelist for security, IoT, mobile and core. His background in theatre brings the slightly theatrical and fairly technical together to cover training, writing, speaking, along with overall product evangelism for F5. He's also produced over 350 videos and recorded over 50 audio whitepapers. After working in Professional Theatre for 10 years, Peter decided to change careers. Starting out with a small VAR selling Netopia routers and the Instant Internet box, he soon became one of the first six Internet Specialists for AT&T managing customers on the original ATT WorldNet network.

Now having his Telco background he moved to Verio to focus on access, IP security along with web hosting. After losing a deal to Exodus Communications (now Savvis) for technical reasons, the customer still wanted Peter as their local SE contact so Exodus made him an offer he couldn’t refuse. As only the third person hired in the Midwest, he helped Exodus grow from an executive suite to two enormous datacenters in the Chicago land area working with such customers as Ticketmaster, Rolling Stone, uBid, Orbitz, Best Buy and others.

Writer, speaker and Video Host, he's also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others.

IoT & Smart Cities Stories
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Early Bird Registration Discount Expires on August 31, 2018 Conference Registration Link ▸ HERE. Pick from all 200 sessions in all 10 tracks, plus 22 Keynotes & General Sessions! Lunch is served two days. EXPIRES AUGUST 31, 2018. Ticket prices: ($1,295-Aug 31) ($1,495-Oct 31) ($1,995-Nov 12) ($2,500-Walk-in)
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
The challenges of aggregating data from consumer-oriented devices, such as wearable technologies and smart thermostats, are fairly well-understood. However, there are a new set of challenges for IoT devices that generate megabytes or gigabytes of data per second. Certainly, the infrastructure will have to change, as those volumes of data will likely overwhelm the available bandwidth for aggregating the data into a central repository. Ochandarena discusses a whole new way to think about your next...
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by ...
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed...