White House CIO Council Releases Draft Guidance on U.S. Govt Cloud Computing

A draft release of a 90-page Proposed Security Assessment and Authorization for U.S. Government Cloud Computing was distributed by the White House CIO Council yesterday, curiously numbered a 0.96 release.  A product of FedRAMP (the Federal Risk and Authorization Management Program), the guidance draft is the result of an 18-month inter-agency effort by the National Institute of Standards and Technology (NIST), General Services Administration (GSA)(see GAO-10-855T), the CIO Council and others, including state and local governments, industry, academia, and additional governmental bodies, such as the Information Security and Identity Management Committee (ISIMC).  Comments on the draft can be submitted online until December 2nd here.

While we'll be posting further analysis of the cloud computing guidance draft, the three chapters of  the draft's tripartite organization focus on: 

  1. Cloud Computing Security Requirements Baselines;
  2. Continuous Monitoring; and a
  3. Potential Assessment & Authorization Approach.

An appendix contains materials on assessment procedures and security documentation templates.  While the end goal of this FedRAMP initiative is to streamline federal governmental cloud computing vetting and procurement across agencies, it clearly remains to be seen how this ultimately works out in the field.  As the guidance states, on page 46, in the introduction to Chapter 3, Potential Assessment & Authorization Approach:

"the end goal is to establish an on-going A&A approach that all Federal Agencies can leverage. To accomplish that goal, the following benefits are desired regardless of the operating approach:

  • Inter-Agency vetted Cloud Computing Security Requirement baseline that is used across the Federal Government;

  • Consistent interpretation and application of security requirement baseline in a cloud computing environment;

  • Consistent interpretation of cloud service provider authorization packages using a standard set of processes and evaluation criteria;

  • More consistent and efficient continuous monitoring of cloud computing environment/systems fostering cross-agency communication in best practices and shared knowledge; and

  • Cost savings/avoidance realized due to the “Approve once, use often” concept for security authorization of cloud systems.

Check back for a detailed analysis of the draft Proposed Security Assessment and Authorization for U.S. Government Cloud Computing