On November 2, the General Services Administration (“GSA”) published the Proposed Security Assessment & Authorization for U.S. Government Cloud Computing guidelines, developed by an interagency team composed of representatives from the CIO Council, GSA, the National Institute of Standards and Technology (“NIST”), and other organizations. The proposed guidelines are designed to provide a centralized system for assessing and authorizing cloud computing services for all U.S. government agencies in a manner that would provide appropriate security and maximize the efficiency of government contracting. High impact U.S. government information services (e.g., classified military and intelligence data) would not be subject to these guidelines. The agencies responsible for such activities would retain primary authority to assess and authorize information technology services in accordance with applicable laws and regulations. Public comments on the proposed guidelines will be accepted until December 2, 2010.
The proposed guidelines call for security assessment and authorization of all cloud computing services for U.S. government agencies by the Federal Risk and Authorization Management Program (“FedRAMP”). Consistent with the requirements of the Federal Information Systems Management Act, the proposed guidelines would require cloud service providers to demonstrate compliance with a variety of security obligations detailed in NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations (August 9, 2009). Some of the controls recommended within NIST SP 800-53 have been augmented in the proposed guidelines. Examples of these modifications include:
- implementation of FIPS 140-2 compliant encryption for any Software as a Service (“SaaS”) offering that includes email and
- maintenance of at least three backups and user and system level data (one of which must be available online).
In addition to the goal of ensuring appropriate security for information used by the U.S. government, the guidelines are intended to improve the efficiency of the cloud service contracting process by creating an “authorize use, use many” system. Once a cloud service provider has been authorized by FedRAMP for one agency, its services would be pre-authorized for other agencies.
While most of the requirements and authorization procedures reflect well established best practices in information security, there are several elements of the proposed guidelines that are of particular note.
Authorization under FedRAMP must be renewed every three years or whenever the cloud service experiences a significant change in security posture as defined in NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal information Systems: A Security Life Cycle Approach (February 2010). NIST SP 800-37 broadly defines a “significant change” as a “change that is likely to affect the security state of an information system.” Accordingly, examples of changes that may trigger reauthorization include:
- operating system upgrades, such as transitioning from Windows Server 2003 to Windows Server 2008;
- changes in software applications, such as transitioning from Oracle 11g to Microsoft SQL Server 2008; or
- changes in physical location of cloud assets, which may have notable consequences for cloud service providers that may desire to add new facilities to meet rapidly increasing customer demand.
Real Time Continuous Risk Management
The proposed guidelines emphasize real time continuous risk management – the process of using security management tools (e.g., regularly scheduled vulnerability scans and penetration tests, intrusion detection systems, and data loss prevention systems) and procedures to evaluate and revise security measures on an ongoing basis. In fact, the proposed guidelines state that cloud services would only be required to conduct traditional point-in-time assessments every three years (possibly coinciding with the FedRAMP reauthorization schedule discussed above). Prioritization of real-time risk management has been a major goal of U.S. Chief Information Officer Vivek Kundra, as he stated in testimony before the House Committee on Oversight and Government Reform, Subcommittee on Government Management, Organization, and Procurement. In order to achieve this objective, the proposed guidelines call for cloud service providers to produce a number of artifacts to FedRAMP on a periodic basis. Examples of the required artifacts include:
- monthly vulnerability scans;
- quarterly system configuration reports;
- quarterly plans of action and milestones regarding efforts to remediate identified security vulnerabilities;
- annual penetration testing;
- annual security awareness and training reports; and
- annual updates for security policies, incident response procedures, and change management procedures.
Implementation of these requirements in the final guidance could accelerate the acceptance and adoption of similar real-time risk management strategies in government and private enterprise. However, it remains unclear how quickly (if ever) such an evolution in risk management would be reflected in the enforcement agenda of regulatory agencies such as the Federal Trade Commission that deal with a wide variety of enterprises within and outside of the cloud service industry.
If implemented, it should also be noted that the proposed guidelines could affect competition in the cloud service industry. First, it is reasonably foreseeable that state and local governments may adopt similar assessment and authorization procedures and/or recognize authorization through FedRAMP as a way to demonstrate appropriate security for contractors. Moreover, private institutions may implement similar authorization procedures for cloud service providers. Adopting the same safeguards required for the protection of moderate impact federal information systems may serve as valuable evidence that a business has legally reasonable and appropriate security measures for third party service providers. This may be particularly true for businesses required by law to supervise the security practices of third party service providers under HIPAA, the GLB Safeguards Rule, and state data security laws and regulations in Massachusetts, Nevada, and Oregon. In the long run, cloud service providers may find that compliance with the proposed guidelines may affect their ability to serve customers beyond the U.S. government.
Second, it is conceivable that the proposed guidelines may create an unintended barrier to entry for cloud service providers. While there are a variety of areas in which businesses are required to receive authorization or certification in order to offer products or services to U.S. government agencies, many of these procedures allow prospective government vendors to submit their products and services for evaluation without sponsorship by a government agency. For example, technology vendors may submit data encryption products for certification under the NIST Cryptographic Module Validation Program without first securing sponsorship from a government agency. By contrast, the proposed guidelines envision a procedure by which cloud services are only authorized upon the request of the government agency seeking to acquire the services. It is foreseeable that after a certain number of cloud services have been authorized, government agencies may choose to use cloud services that have already been authorized rather than devote agency resources to the authorization of a new cloud service provider. Such an outcome could hinder entry of new cloud service providers and innovation in the long run.