by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : September 2013
this one-size-fits-all approach to work," he said. MIXED INGREDIENTS FedRAMP is the result of input from a wide range of government agencies, companies and industry bodies, and currently encom- passes security necessary for compliance with Federal Information Security Man- agement Act (FISMA) low and moderate requirements. The security controls in- cluded are based on the National Institute of Standards and Technology's Special Publication 800-53, with added controls for cloud computing. Revision 4 of those standards, which FedRAMP will be updat- ed to include, was published in April. There are currently 116 controls includ- ed in the FISMA low version of FedRAMP, and 298 in the FISMA moderate version. To be able to compete for agency cloud services in the future, service providers have to undergo a rigorous certification process and have their security proce- dures verified by a third-party assessment organization. If risks are found, the pro- vider has to fix them and then have their procedures assessed again. The whole FedRAMP process is overseen by a Joint Authorization Board made up of CIOs from the Defense and Homeland Security departments and the General Services Ad- ministration. Even as a baseline, FedRAMP will bring immediate benefits to agencies, said Ma- ria Roat, the director of the FedRAMP program at GSA. It provides a standard approach for the implementation of both FISMA low and moderate security con- trols across the entire government. "If you look at what agencies have been doing with FISMA up to now, it's really been a mixed bag," she said. "It's depended on who the authorizing official is, who the business owners [of the systems and data] are and so on, and it's really been all over the board as to how stringently agencies have applied the FISMA requirements." As to specific needs for cloud, Roat ad- mitted that there's still a fair amount of education going on about what the best use of cloud is, and what the FedRAMP require- ments are when they do use the cloud. "But we are starting to see questions coming in that indicate people are already starting to look to the cloud for things outside of such things as email and basic Web services," she said. "They are looking at it for applications that will help them better serve their customers, and asking about what the appropriate security is for those." CLOUDY PICTURE And that's where complications start to muddy the picture. Each agency will have its own needs as far as data is concerned. Information assurance managers in the Defense Department, for example, will The Federal Risk and Authorization Management Program is an evolving entity, intended to grow and morph as agencies increase their use of cloud computing. Here are two things that a future version of FedRAMP might include that could expand the situations it covers and improve its uptake: FISMA high As the comfort level of agencies with both cloud computing and FedRAMP increases, many observers think the next level will be for FISMA high security requirements to join the low and moderate requirements that FedRAMP already covers. That will help alleviate many of the concerns people now have with some data security needs not being covered by the FedRAMP baseline, they say. But it's not that obvious, according to Maria Roat, director of FedRAMP at the General Services Administration. At meetings where the subject has come up, she's been throwing back the question of whether the demand is for "high, high, high" security or just high availability of the data. Only about 12 percent of the needs across government are at the high level, she said, with the rest at low or moderate. "When organizations such as intelligence agencies need a high (security) baseline, they keep the data in private clouds in their own data centers," she said. "So far, agencies really aren't stepping up and saying they need high con dentiality for FedRAMP." Standardized SLAs Right now, agencies have to negotiate their own service-level agreements with cloud providers around FedRAMP, which takes time and can provide headaches for many, particularly given that most agencies will use two or more companies to provide services. "There is no FedRAMP SLA equivalent today," said Kevin Jackson, vice president and general manager of cloud services at NJVC. "I think a minimum set of SLAs for agencies across government would be a good thing [for the FedRAMP program], and that's a good role for GSA to take on. " The question of a standardized FedRAMP SLA is something that many agencies have brought up, Roat said. "We don't have a good answer for it yet," she said, "but it's something we are looking at." -- Brian Robinson What's in the future for FEDRAMP? GCN SEPTEMBER 2013 • GCN.COM 23