Two weeks back the US CIO's office released a 90 page proposal entitled, Proposed Security Assessment and Authorization for US Government Cloud Computing. The document is the result of 18 months of work among the NIST, GSA, ISIMC and the CIO Council to evaluate security controls and multiple Assessment and Authorization models for US Government Cloud Computing. This represents the first step of the CIO's office in their overall goal to deploy secure cloud computing services for the US Federal Government, which could arguably instantiate the largest private cloud initiative in the world to date.
The intended Assessment and Authorization, A&A, is split into three main sections with the idea of creating a framework to provide A&A. The US Government defines cloud computing using three service models; Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Within the US Federal Government standards are mandated by both the Federal Information Security Management Act, FISMA, and National Institute of Standards & Technology, NIST, special publications. A main directive is to promote faster and more efficient acquisition of cloud computing systems through the use of a "authorize once, use many" approach to leveraging security authorizations as well as provide transparency and openness in government.
Cloud Computing Security Requirements Baseline
The security controls presented align with NIST special publication 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations:
- Access Control
- Awareness and Training
- Audit and Accountability
- Assessment and Authorization
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical and Environmental Protection
- Personal Security
- Risk Assessment
- System and Services Acquisition
- System and Communications Protection
- System and Information Integrity
Continuous Monitoring
Intent is to inject a dynamic continuous monitoring program into the System Development Life Cycle to determine if the security controls continue to be effective over time. The process would include the ability to modify and change the monitoring program for the cloud computing environment. Here a Cloud Service Provider is loosely defined and left open-ended leaving a possibility the federal government may be open to supporting public clouds from vendors like Amazon, Microsoft and Salesforce.com. This seems to be a break from the executive overview at the beginning of the document where the focus is on the instantiation of a private cloud, but continues through the remainder of the document.
A set collection of reports and deliverables will be required of CSPs as follows with frequency:
- Patch Management - Monthly
- Verification of FDCC Compliance - Quarterly
- Incident Response Plan - Annual
- POAM Remediation - Quarterly
- Change Control Process - Annual
- Penetration Testing - Annual
- IV&V of Controls - Semi-Annual
- Scan to Verify Boundaries - Quarterly
- System Configuration Management - Quarterly
- FISMA Reporting - Quarterly
- Update Documentation - Quarterly
- Contingency Plan & Test Report - Annual
- Separation of Duties Matrix - Annual
- Information Security Awareness and Training - Annual
Potential Assessment & Authorization Approach
The CIO's office looks at cloud computing as an opportunity to break down the silos within the US Federal Government and create a common security baseline for shared systems. This may be difficult as budgets are often allocated on an agency or initiative basis which discourages a shared cost structure. If the CIO's office can overcome this hurdle, it would indeed be a major breakthrough advocating efficiency and cost savings on behalf of the US taxpayer. This is why FedRAMP was created, whose objective is defined:
- Ensure that information systems/services used government-wide have adequate information security
- Eliminate duplication of effort and reduce risk management costs
- Enable rapid and cost effective procurement of information systems/services for Federal Agencies
Conclusion
In summary, the document presents an exhaustive security and control plan for implementing and managing a cloud computing initiative. All aspects of information management are defined and presented which could provide an excellent framework for adoption of cloud computing by the private sector and businesses worldwide. This is a refreshing and solid first step in broad-base adoption of cloud computing by a government.
The proposal has been presented for public comment and submissions can be made through FedRAMP until midnight on December 2, 2010.