A couple of weeks ago I went to the NIST Cloud Conference for the afternoon security sessions. You can go grab the slides off the conference site. Good stuff all around.
Come to think of it, I haven’t blogged about FedRAMP, maybe it’s time to.
FedRAMP is a way to do security authorization (formerly certification and accreditation, get with the times, man) on a cloud then let tenant projects use that authorization. Hmmm, sounds like…. a General Support System with common controls and Major Applications that inherit those controls. This isn’t really anything new, just the “bread and butter” security management concepts scoped to a cloud. Basically what will happen with FedRAMP is that they have 3 standards: DoD, DHS, and GSA (most stringent first) and cloud providers get authorized against that standard. Then when a project wants to build on that cloud, they can use that authorization for their own authorization package.
All things considered, FedRAMP is an awesome idea. Now if we can get the holdout agencies to actually acknowledge their internal common controls, I’ll be happy–the background story being that some number of months ago I was told by my certifier that “we don’t recognize common controls so even though you’re just a simple web application you have to justify every control even if it’s provided to you as infrastructure.” No, still not bitter at all here, but I digress….
And then there are the pieces that I haven’t seen worked out yet:
- Mechanism of Sharing: As a service provider, it’s hard enough to keep one agency happy. Add in 5 of them and it gets nearly impossible. This hasn’t really been figured out, but in Rybolov’s small, myopic world, a panel of agencies owning an authorization for a cloud provider means that the cloud never gets authorized. The way this has been “happening in the wild” is that one agency owns the authorization and all the other agencies get the authorization package from that agency.
- Using FedRAMP is Optional: An agency or project can require their own risk assessment and authorization even though a FedRAMP one is available. This means that if the agency’s auditors don’t understand the process or the “risk monkeys” (phrase courtesy of My Favorite Govie) decree it, you lose any kind of cost savings and time savings that you would get by participating in FEDRAMP.
- Cloud Providers Rule the Roost: Let’s face it, as much as the Government wants to pretend that the cloud providers are satisfying the Government’s security requirements, we all know that due to the nature of catalogs of controls and solution engineering, the vendor here has the advantage. Nothing new, it’s been happening that way with outsourcing, only now it’s immediately evident. Instead of trying to play ostrich and stick our heads in the sand, why don’t we look at the incentives for the cloud providers and see what makes sense for their role in all this.
- Inspector General Involvement: I don’t see this happening, and to be honest, this scares the hell out of me. Let me just invoke Rybolov’s Law: “My solution is only as good as my auditor’s ability to understand it.” IE, if the IGs and other auditors don’t understand FedRAMP, you don’t really have a viable solution.
The Big Ramp photo by George E. Norkus. FedRAMP has much opportunity for cool photos.
Posted in FISMA, NIST, Outsourcing, Risk Management, What Doesn't Work, What Works | 2 Comments »
Tags: 800-37 • 800-53 • accreditation • C&A • catalogofcontrols • categorization • certification • cloud • compliance • dhs • fedramp • fisma • government • infosec • management • NIST • risk • scalability • security