On December 8, 2011, Federal Chief Information Officer Steven VanRoekel issued a memorandum introducing the Office of Management and Budget's Federal Risk and Authorization Management Program (“FedRAMP”).  FedRAMP is intended to make the government’s migration to cloud computing more cost effective and to ensure the safety, security and reliability of the government’s data.  The program implements a new policy, developed over the past two years, to develop “trusted relationships” between executive departments and agencies and cloud service providers (“CSPs”).  The memorandum requires FedRAMP initial operational capability to occur within six months; all federal agencies are expected to use FedRAMP before acquiring cloud-based services and to require vendors to comply with the program’s standards.

A major feature of FedRAMP is to establish a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services by all agencies.  The government’s current practice is for each agency to go through multiple steps, which take anywhere from six to 18 months, to assess and authorize the security of a system before granting authority to transition to the cloud.  According to VanRoekel, this practice has imposed a burden on contractors, reducing competition for federal IT business.  Under FedRAMP, the government will transition to a “do once, use many times” framework to reduce costs and eliminate redundant agency security assessments.

The General Services Administration (“GSA”) will establish a FedRAMP project management office, which will develop templates for executive departments and agencies to satisfy FedRAMP security authorization requirements.  The templates will feature standard contract language and service level agreements for use in the acquisition of cloud services.  GSA will also work with the National Institute of Standards and Technology (“NIST”) to accredit third-party assessment organizations (“3PAOs”) to provide independent assessments of how effectively CSPs implement FedRAMP requirements.  Each executive department and agency will have to ensure that its acquisitions comply with FedRAMP security authorization requirements and include contract provisions related to CSP reviews and inspections.  Additionally, CSPs will have to route their traffic to meet the requirements of the Trusted Internet Connection program.

Within 30 days, the Chief Information Officer Council will publish the standardized baseline of security controls, privacy controls and controls for continuous monitoring to be included within the FedRAMP security authorization requirements.  These requirements are to be derived from NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations.  Within 60 days, the FedRAMP project management office will publish a concept of operations for executive departments and agencies and CSPs regarding the FedRAMP security authorization requirements, and initial operational capability will occur within 180 days.  Cloud services currently in the acquisition process and those already implemented must meet the FedRAMP security authorization requirement within two years of FedRAMP being declared operational.

According to VanRoekel, cloud computing has “become an integral part of the government’s IT DNA,” as reflected in the government's cloud-first policy and cloud migrations under the IT reform plan.  Under the administration’s Cloud First Initiative, agencies identified 79 services to move to the cloud in order to reap savings and service improvements.  During 2011, agencies migrated 40 of those services to the cloud.  At the same time, the government will have closed more than 472 data centers by the end of 2012, with plans to close nearly 1,000 data centers by the end of 2015.

CSP and 3PAO contractors should monitor FedRAMP developments to maximize their opportunities to enter into, or continue effective participation in, the federal cloud computing market.

© 2011 Perkins Coie LLP