GSA poised to release security guidelines for cloud products

Public comment weclome

The General Services Administration is poised to release security controls and guidelines designed to speed up the certification and accreditation of cloud computing products and services for public comment, a senior executive with the General Services Administration told attendees at a cloud computing conference today.

“We are going to release common security guidelines Friday or Monday for industry, public and agency comment,” said David McClure, GSA’s associate administrator of Citizen Services and Innovative Technologies at the Cloud-Enabled Government Conference & Expo in Washington, D.C. The conference is sponsored by Digital Government Institute.

Based on National Institute of Standard and Technology guidelines, the security requirements are part of the Federal Risk Authorization and Management Program.

FedRAMP is an interagency initiative to provide a government-wide certification process. The aim is to reduce costs and duplication when multiple agencies attempt to certify products and services for security compliance.

FedRAMP, a key part of the Obama administration’s cloud computing initiative, also will provide security authorizations and continuous monitoring of shared systems.

A common certification and accreditation process can save the government and vendors a lot of money and help streamline procurement, if agencies can use 50 or 80 percent of what others have done, McClure said.

McClure said he realizes that not all agencies would want to rely on independent security assessments, especially when they are still responsible for security. “We’re not pretending that we are waving a magic wand,” and everything will fall into place, McClure said. “This is a cultural issue.”

FedRAMP is not mandatory and McClure said the best way to build agency trust in the program is to prove that it works. For example, GSA developed a program to test and verify collaboration tools designed to help agencies open up dialogue with the public and many agencies are using those tools.

Related coverage:

GSA Fast tracks FedRAMP requirements

The same can apply to FedRAMP. It is better to prove that the process works and agencies will come because they want to, he noted.

Version 2 of the FedRAMP requirements will include security controls detailed in the NIST special publication 800-53R as well as enhancements.

GSA will list the FedRAMP requirements on and

GSA plans to hold two questions and answer sessions at fixed locations with broadcasts available for people in other locations. The session for government agencies is slated for Oct. 4 and Oct. 8th for industry, McClure said. The public comment period will close Oct. 11th at which time GSA and partner agencies will view and reconcile the comments.

FedRAMP is scheduled to launch the first quarter of fiscal year 2011.

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

Reader Comments

Thu, Sep 23, 2010

Gartner: Cloud Security Is Better Than What You Have Today Cloud-based computing will be more secure than on-premise computing and anyone who thinks they have control over their IT is just kidding themselves, according to Neil MacDonald, Gartner vice president and fellow. Cloud is also the first generation of IT to bake in security, rather than treat it as an afterthought, MacDonald said.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here


contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.