FedRAMPIn a speech on Wednesday, Federal Chief Information Officer Steven VanRoekel said that a federal plan for qualifying and providing security audits on private sector cloud providers will become mandatory for any agency that wanted to contact with third party cloud providers, according to a report on GovInfoSecurity.com. But even as the U.S. federal government forges ahead with plans to shift a quarter of its IT spending to cloud-based services, efforts to launch that program – the Federal Risk and Authorization Management Program (FedRAMP)- are falling way behind schedule, according to a GAO report.

Originally scheduled to begin implementation in September, 2010, the project is still not off the ground, according to a September, 2011 GAO report: “Electronic Government: Performance Measures For Projects Aimed at Promoting Innovation and Transparency Can Be Improved.” With hits to the government’s spending on e-government initiatives, its unclear whether FedRAMP will have the resources to move ahead in 2012.

FedRAMP was conceived in 2009 as a way to conduct joint security assessments, authorization and monitoring of cloud-based systems shared by multiple agencies. It is managed by the General Services Administration. So far, GSA has succeeded in reaching consensus among participating agencies on the kinds of baseline controls and processes to be covered by FEDRamp. A draft proposal has also been issued covering a security authorization, assessment and continuous monitoring program. However, a GAO review of e-government projects found that GSA hadn’t yet implemented FedRAMP or, indeed, even developed a model for implementing it. In addition GSA hasn’t yet settled on metrics that would allow it to measure FedRAMP’s progress toward goals like improving consistency of service or encouraging knowledge sharing between participating agencies, according to a September GAO report (GAO-11-775).

The lack of a functional FedRAMP program could complicate the government’s stated efforts to push ahead with new cloud services, because FedRAMP was supposed to provide a mechanism for vetting and authorizing new cloud systems – in essence, acting like a traffic cop to determine which new cloud services can and cannot be launched and insuring  a “consistent interpretation of cloud service provider authorization packages” with standardized processes and evaluation criteria, as well as monitoring. 

With no operational FedRAMP program and no agreement yet on what metrics will be used to evaluate its success (or lack of it) once it is launched, the FedRAMP project’s status for 2012 seems in doubt, especially with planned cuts to e-gov spending, GAO warned.

That contrasts with the government’s efforts, elsewhere, to promote a shift to cloud-based services and use FedRAMP to help rationalize that process. NIST released guidelines for agencies and private sector cloud providers who want to do business. Federal CIO Vivek Kundra said in February, 2011, that he would like to see one quarter of all IT spending directed towards cloud based services -an approach he dubbed the “Cloud First Initiative.”

FedRAMP is by no means a big ticket item. The government spent just $1.9million out of the government’s E-Gov budget on the program in 2010 – a rounding error in a government IT budget that will top $79 billion in non-defense spending in 2011. Still, the Federal government’s financial crisis has hit the E-Gov program hard and further cuts may curtail the FedRAMP project even more in FY 2012, GAO warned.

Categories: Compliance, Government, SMB Security, Web Security