|While cloud-based information systems are becoming increasingly popular, many companies rely on outside services to help them manage their data and reduce security risks. Federal agencies are no exception, with most organizations using cloud computing arrangements to process and store government data. Unfortunately, a recent cloud security assessment suggests that a number of these agencies and their services are falling short of federal requirements.In late February, the 2014 Federal Information Security Management Act (FISMA) report to Congress was released to the public. According to the study, of the 17 inspector generals who reported that their agencies used programs to manage contractor systems, only eight believed their programs had all the required elements in place. While the departments were not identified, the stated problems were numerous: some never obtained sufficient assurance that the security controls were effective or compliant with guidelines, while others did not have a complete inventory of the systems being used. However, six of the departments admitted that their cloud systems were not compliant with FISMA requirements, federal polices and applicable National Institute of Standards and Technology (NIST) guidelines.
NIST regulations are the basis of the government’s Federal Risk and Authorization Management Program (FedRAMP). Designed to standardized security assessment, authorization and continuous monitoring of cloud solutions, the program is essentially designed to safely bring the government into a new age of information technology. However, the FISMA report shows that federal agencies fared little better when it came to FedRAMP requirements, noting that some departments are “not capable of tracking and managing risks in a virtual/cloud environment.”
Cloud Security is one of the Top 10 Priorities of the CIOs in 2015 and it is one of key areas of concern for the CIOs for not adopting Cloud technologies as fast as they should or they are expected to.
Fortunately, an element of the FedRamp process may address this issue. Once a cloud service is authorized under FedRamp, they are required to begin “continuous monitoring.” This means that all vendors must perform monthly vulnerability scans and remediate any findings deemed high-risk within 30 days. This change not only better aligns with the Department of Homeland Security’s own continuous monitoring program, but fixes a prevalent problem: previously, some security reporting was only performed quarterly.
Currently, the FISMA report shows that a total of 81 systems being used are FedRAMP compliant. Of this number, 26 agencies have reported using FedRAMP provisional authority to operate packages, which verifies that a cloud system meets the program’s standards. Agencies are required to review this documentation before granting vendors final authority to operate.
While it isn’t clear how many systems must meet FedRAMP standards, one of the program office’s top priorities for the coming year is to increase stakeholder engagement, particularly among the agencies implementing the program. Other goals including improving program efficiencies, automating FedRamp documentation and adapting the program to support evolving cloud technologies and policies.