This week the General Services Administration in the United States released a comprehensive set of guidelines for agencies considering moving some of their operations to the cloud. The guidelines provide an inter-agency baseline for evaluating and approving cloud providers, which the feds hope will refine and speed the lengthy process of approval.
The Federal Risk and Authorization Management Program (FedRAMP) was established to supply a standardized approach for evaluating and authorizing cloud services and providers. Many have expected that the creation of the program would speed government adoption of cloud computing since before FedRAMP, there was no single government-wide authorization program for contracting such services. The government has sought the help of cloud giants, including IBM, Google and Microsoft in its efforts to set forth acceptable baselines and will be holding Q&A sessions on November 15.
Since the program was launched earlier this year, Federal CIO Vivek Kundra and members of his Cloud Computing Advisory Council have been working in concert to bring some of the original concepts closer to reality. The goal of such programs is ultimately to bring the United States more in line with its goals to reduce the number of expensive data centers.
In essence, the program aims to provide joint authorizations and constant monitoring of shared IT services across agencies that have entered into agreements with outside vendors. The government hopes that this will allow for “unified risk management” in IT by creating unanimously approved security requirements, ensuring security on shared systems, and encouraging better system integration with current IT security efforts.
As the feds note, “the common baseline ensures that the benefits of cloud-based technologies are effectively integrated across the various cloud computing solutions currently proposed within the government. The risk model will also enable the government to ‘approve once and use often’ by ensuring multiple agencies gain the benefit and insight of the FedRAMP’s authorization and access to service provider’s authorization packages.