GSA poised to release security guidelines for cloud products

The General Services Administration is poised to release security controls and guidelines designed to speed up the certification and accreditation of cloud computing products and services for public comment, a senior executive with the General Services Administration told attendees at a cloud computing conference today.

“We are going to release common security guidelines Friday or Monday for industry, public and agency comment,” said David McClure, GSA’s associate administrator of Citizen Services and Innovative Technologies at the Cloud-Enabled Government Conference & Expo in Washington, D.C. The conference is sponsored by Digital Government Institute.

Based on National Institute of Standard and Technology guidelines, the security requirements are part of the Federal Risk Authorization and Management Program.

FedRAMP is an interagency initiative to provide a government-wide certification process. The aim is to reduce costs and duplication when multiple agencies attempt to certify products and services for security compliance.

FedRAMP, a key part of the Obama administration’s cloud computing initiative, also will provide security authorizations and continuous monitoring of shared systems.

A common certification and accreditation process can save the government and vendors a lot of money and help streamline procurement, if agencies can use 50 or 80 percent of what others have done, McClure said.

McClure said he realizes that not all agencies would want to rely on independent security assessments, especially when they are still responsible for security. “We’re not pretending that we are waving a magic wand,” and everything will fall into place, McClure said. “This is a cultural issue.”

FedRAMP is not mandatory and McClure said the best way to build agency trust in the program is to prove that it works. For example, GSA developed a program to test and verify collaboration tools designed to help agencies open up dialogue with the public and many agencies are using those tools.

Related coverage:

GSA Fast tracks FedRAMP requirements

The same can apply to FedRAMP. It is better to prove that the process works and agencies will come because they want to, he noted.

Version 2 of the FedRAMP requirements will include security controls detailed in the NIST special publication 800-53R as well as enhancements.

GSA will list the FedRAMP requirements on www.info.apps.gov and www.cio.gov.

GSA plans to hold two questions and answer sessions at fixed locations with broadcasts available for people in other locations. The session for government agencies is slated for Oct. 4 and Oct. 8^th for industry, McClure said. The public comment period will close Oct. 11^th at which time GSA and partner agencies will view and reconcile the comments.

FedRAMP is scheduled to launch the first quarter of fiscal year 2011.