The federal government's Cloud First policy has been around for more than five years (closer to six, now). And the Federal Risk and Authorization Management Program (FedRAMP) — which certifies third-party cloud systems as secure — is coming up on its fifth birthday.
But not everyone in government is on board.
Federal cloud adoption is maturing. But it's been held back over the years, mostly by the risk-averse culture that permeates most federal agencies. The June 23 release of FedRAMP's high impact baseline could be a turning point in cloud's coming of age.
Getting FedRAMP accreditation before deploying a cloud service is the law. However, prior to the high baseline's release, agencies could only certify services at the low and moderate level. The lack of a stronger tier left many ill-at-ease with the whole idea of cloud. Box huggers hugged tighter, leery of the day they would have to explain to Congress how their data was stolen from a third-party system.
Having a high impact baseline — a set of controls to certify cloud services can securely host data that, if leaked, could have immediate, adverse effects on life and limb or cause financial ruin — could help assuage some of those fears.
"This is definitely a pinnacle in the process — a turning point," said Pam Walker, senior director of federal public sector technology at the Information Technology Industry Council. "One of the reasons you would always see for agencies not wanting to adopt cloud and moving toward that is they would always bring up security: The cloud is insecure, we can't put our information over there."
You can spend all day telling CIOs and IT managers that cloud services are more secure than their data centers but that will mean little if agencies can't store their most sensitive information. When any breach of a significant size can land a CIO in front of a congressional committee, why chance it?
Even CIOs who wrap their heads around the idea that cloud could be safer still wonder whether Congress will understand that distinction when they have to testify.
Of course, having a FedRAMP authority to operate (ATO) doesn't grant immunity from congressional scrutiny.
"Even if you're going to do FedRAMP-certified cloud, the agencies still have to do their homework," Walker said. "Just because something is FedRAMP-certified doesn't mean they can just move everything up … [But] the high baseline — or even just a regular ATO — helps with that because it shows the company is meeting those standards."
Having the FedRAMP stamp of approval goes a long way, agreed John Keese, director of cloud services for CSRA, one of three CSPs to participate in the high baseline pilot and come out the other side with a provisional ATO.
"People, to this day, say it's just a paper process," Keese said, asserting a FedRAMP ATO is more than just another check-the-box exercise. "It's not a paper process. FISMA 1.0 [the first version of the Federal Information Security Management Act] was a paper process; this is continuous compliance. You cannot fake your way through the process, you can't hand-wave about your security, you can't PowerPoint your way to a solution. You have to have a functional cloud service that meets the criteria."
Keese noted we have yet to see a breach of government data in a FedRAMP-certified cloud and the high baseline will only strengthen that trend.
"It takes away a lot of the internal arguments that occur when people don't want to release systems" to the cloud, he said.
There are no silver bullets in cybersecurity and change will continue to get swallowed up by culture in the near term. But the release of the high impact baseline should signal to agencies that federal cloud options are maturing. If they see the signs, this could be a turning point for cloud adoption.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
