The federal government released draft plans for a program to ensure cloud services meet federal cybersecurity guidelines, which should help shore up lingering government concerns about cloud security and accelerate adoption of the technology.
The government expects the Federal Risk and Authorization Management Program (FedRAMP) to be operational by the first quarter of 2011. Through the voluntary program, developed with cross-government and industry support over the last 18 months, cloud services would go through a standardized security accreditation and certification process, and any authorization could then be leveraged by other agencies.
FedRAMP also aims to eliminate a duplicative, costly process to certify and accredit applications. In the past, each agency would typically take apps and services through their own accreditation process. However, in the shared-infrastructure environment of the cloud, such a process is redundant, and
FedRAMP allows services to be accredited once and have that accreditation leveraged by all government agencies.
The FedRAMP draft includes three major pieces: a set of cloud computing security baseline requirements; a process to continuously monitor cloud security; and a description of proposed operational approaches to authorizing and assessing cloud-based systems.