FedRAMP High: Trust is cloud security validated
The latest Government Office of Accountability report dealing with the security of high impact information technology (IT) systems continues to point out opportunities for improvement in cybersecurity across the US Federal Government. While improvements have been made, the persistence of the challenge is disquieting. Particularly troubling is that many of the concerns result from long-standing and well known inefficiencies in the government’s current IT environment, such as low asset utilization, fragmentation, legacy systems, and the challenging procurement processes. Cloud computing can help address many of those, and at the same time improve government service delivery – at a lower cost – ultimately providing agencies with the ability to deliver secure, reliable, and innovative services quickly despite resource constraints.
When the Obama Administration issued its Cloud First Policy five years ago, with a clear aim of encouraging the Federal Government to harness the benefits of cloud computing, one question remained for many agencies: Given the level of security required, would my data be secure? The Cloud First policy accelerated the rate in which government could realize the value of cloud computing by – among other things – requiring government agencies to evaluate the security of cloud computing options before making new investments. This single action not only required government agencies to familiarize themselves with cloud computing during each new acquisition, but also incentivized vendors to drive further investments in security.
To streamline this process, the Federal Risk and Authorization Management Program or FedRAMP was developed. It represents a government-wide, standardized approach to security assessment, authorization, and continuous monitoring for cloud services. FedRAMP was designed with the objective of saving between 30-40 percent of government IT costs, in addition to reducing the amount of agency time and staff needed to conduct redundant security assessments. However, up until last month, Federal agencies could only migrate low and moderate impact workloads to the cloud – not mission critical, high impact systems – as no vendors have been certified to provide those services.
These high impact data systems tend to sit in agencies that deal with security and where information, if disclosed, modified or denied access could have severe and even catastrophic effects on organizational operations and assets. While high impact systems only constitute 20 percent of all federal systems, they represent nearly 50 percent of government spending dollars – much of it given the additional security concerns noted above. The finalization of the FedRAMP High Security Baseline, a draft set of security controls at the High/High/High categorization level for confidentiality, integrity, at the end of June is therefore even more significant. It not only signals an important milestone in cloud security, is estimated that it will drive significant cost savings from the U.S. government’s annual $80 billion IT budget.
Microsoft was selected as one of the vendors that took part in the FedRAMP High Pilot earlier this year. The pilot sought to deepen the understanding of the objectives and the process for both the government and Cloud Service Providers, increase the level of rigor, shorten timeframes, as well as broaden the scope of control applicability. The success of the pilot contributed significantly to the development and refinement of the FedRAMP High Security Baseline and we are happy to report that we successfully received a High Impact Provisional Authority to Operate (P-ATO) approval for the Azure Government environment.
In addition to our work on FedRAMP with the US government, we are engaged with governments and customers around the world to ensure that they can adopt cloud computing securely and effectively. As a result of our global engagements and reflecting different cultural and organizational experiences, Microsoft developed the Transforming Government: A cloud assurance program guide. It was designed to help governments as they develop and implement cloud assurance programs – reflecting best practices, but also lessons learnt from initiatives such as FedRAMP. We understand that the primary goal of any government cloud assurance program needs to be managing information security risks, while at the same time enabling that government to take advantage of the many benefits and opportunities of cloud services. Achieving that goal requires risk-based decision making at every step of a government’s process of developing and implementing a cloud assurance program. While developing such a process, represent a substantial foundational investment, experience shows that it pays significant dividends over time, as it enables governments to leverage secure cloud solutions to deliver and extend citizen services.
Angela McKay
Director of Cybersecurity Policy