White House considers relaxing cloud security requirements

Obama administration officials are considering relaxing some security requirements for cloud computing certification to expedite deployments, afterwards the software industry raised concerns about impractical, one-size-fits-all controls, federal officials said.

The goal of the initiative

The goal of the initiative, called the Federal Risk and Authorization Management Program, is to provide departments with standard procedures for reviewing safeguards in Web-accessible information research used by multiple agencies. Federal officials expect to get the program off the ground by this summer.

But SIIA has rejected certain FedRAMP requirements that it says threaten to slow cloud computing implementations. A new OMB cloud-first policy calls for every agency to identify three "must move" services and migrate them to the cloud within 18 months.

The industry praises the cloud-first policy

While the industry praises the cloud-first policy and FedRAMP's concept of "certify once and use often," association officials said the controls the current specifications require could prevent vendors from being able to move agency computing operations to the cloud by the deadline.

"We are working collaboratively with government and industry experts to explore the potential merits of moving toward a performance-based security assessment process, especially for technical security controls," GSA spokeswoman Sara Merriam said on Thursday. "The FedRAMP requirements must facilitate the trust required between agencies and industry to work toward proactive cloud computing adoption in support of the administration's cloud-first policy."

Means of outsourcing software

Cloud computing is a means of outsourcing software, server, storage and other IT needs to Web services companies. The idea is that paying for online access to IT on a subscription basis, or rather than maintaining systems in-house, will save the government money.

Cloud companies, unlike traditional software firms, modify their products and services many times a year, SIIA officials said. The additional cost to comply with this kind of continuous monitoring could make it difficult for vendors to justify doing business with the government, the association's comments stated. The industry suggested assessing fewer controls and requiring such analyses only for major federal contracts.

Both suggestions are in accordance with consideration, according to GSA officials. "We are evaluating how automation can be used in conjunction with continuous monitoring and doing so after a fashion that does not increase the burden on cloud computing service providers," Merriam said.

One common fear regarding cloud computing that has slowed adoption is maintaining data remotely, on networks and databases shared by many other subscribers, might increase the chances data will be lost, or compromised. In addition, the WikiLeaks mess, in which a soldier allegedly downloaded mounds of classified and confidential federal files onto a music CD, has renewed agencies' focus on ensuring all sensitive government data remains encrypted, or translated into secret code.

Some security experts disagree. Roy E. Hadley, co-leader of the cloud computing and cybersecurity practice at law firm Barnes & Thornburg LLP, said, "The safest bet is to protect the data itself and not worry so much about where it's transported and where it's stored."