Yesterday, I hosted a panel at the Cloud Computing summit focused on cloud security for the federal government. The panel was made up of some smart folks: Alex Hart from VMware, Bob Wambach from EMC and one of the primary authors of the Cloud Security Alliance guidelines, Chris Hoff from Cisco.
While these folks offered great contributions, most questions were focused on the fourth member of the panel, Peter Mell from NIST, the chair of the Federal Cloud Computing Advisory Council. Why? Let's just say that Mell may be the single individual most focused on cloud security in the world. Mell has been tasked with defining cloud computing standards for the entire federal government -- a big responsibility since President Obama and Federal CIO Vivek Kundra continue to trumpet the benefits of cloud computing and push federal agencies to adopt pilot projects.
Mell's work will soon come to fruition when the feds introduce the Federal Risk and Authorization Management Pilot program (FedRAMP). FedRAMP has two primary goals:
1. Aggregate cloud computing standards. Today, many agencies have their own set of standards which complicates procurement and frustrates federally-focused technology vendors. FedRAMP is intended to consolidate cloud computing requirements into one set of standards that span the entire federal government.
2. Ease agency certification processes. Let's say Microsoft's federal cloud is FISMA certified by the Dept. of Agriculture. In today's world, this wouldn't matter to any other agency -- they would still be required to certify Microsoft's cloud before procuring services. Kundra, Mell, et. al. recognize the redundancy and waste here. With FedRAMP, once a cloud provider passes the Certification and Accreditation (C and A) of one agency, all other agencies get a free pass.
Since FedRAMP is still a work in progress, the audience made up of Federal IT people had a lot of questions about all of the fine points. Thus Mell was on the hot seat for most of the time.
Peter Mell deserves a lot of credit. Federal agencies have often acted independently with regard to IT, so Mell and his team are herding cats.
If FedRAMP works, cloud service providers can deliver to a single set of standards. This will encourage innovation and bolster competition. On the agency side, FedRAMP could pave the wave to a wave of cloud computing consumption over the next few years. What happens if FedRAMP fails? The federal government becomes difficult to services so most cloud service providers treat it as a market niche. If this happens, the federal government could lose its cloud computing leadership and momentum very, very quickly.