FedRAMP Seen as Big Gov't Cost SaverShaving Costs by 30%-40% to Vet Cloud Services
FedRAMP - the Federal Risk and Authorization Management Program - should save between 30 percent and 40 percent of the costs the federal government spends assessing, authorizing, procuring and continuously monitoring cloud computing offerings, Federal Chief Information Security Officer Steven VanRoekel said Thursday.
At a Thursday media briefing launching FedRAMP (see Fed's Common Sense Vetting of Cloud Providers), VanRoekel couldn't pinpoint the exact dollar savings, but said it could run into the millions of dollars.
VanRoekel - whose statutory title is administrator of IT and e-government in the White House Office of Management and Budget - issued a memo dated Dec. 8 that orders departmental and agency CIOs to use FedRAMP when they contract cloud computing services (see FedRAMP to Become Mandatory).
Simply, FedRAMP establishes a framework that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. "It's a uniform way of risk management and utilizes a standard set of baseline security controls," VanRoekel said.
Story continues after graphic.
As part of the FedRAMP process, the government established a Joint Authorization Board - consisting of the CIOs of the departments of Defense and Homeland Security and the General Services Administration, the agency where FedRAMP's program office will be housed - which will define and update regularly the FedRAMP security authorization requirements and accreditation criteria for third-party assessment organizations.
Homeland Security CIO Richard Spires estimates the FedRAMP process should save agencies about 90 percent of the work needed to vet cloud computing providers. "We don't expect CIOs to just take this stuff blindly," Spires said. "We expected them to take it and leverage it to the degree that they need to; but they're ultimately responsible, still, for the full authorization of any system that they put into production. They will need to make adjustments as they see fit for their agencies."
VanRoekel's memo calls for the FedRAMP project management office to issue procedures for agencies to follow by June. In the meantime, the Joint Authorization Board can grant provisional authorizations for cloud services to be used as an initial approval that departments and agencies leverage in granting security authorizations and an accompanying authority to operate for use.
FedRAMP helps facilitate the government's Cloud First initiative to allot one-quarter of the federal government's IT budget on cloud computing solutions (see Kundra Eyes 25% of Fed IT Spend on Cloud Services).