Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News US Government: Proposed Assessment and Authorization for Cloud Computing

US Government: Proposed Assessment and Authorization for Cloud Computing

This item in japanese

Two weeks back the US CIO's office released a 90 page proposal entitled, Proposed Security Assessment and Authorization for US Government Cloud Computing.  The document is the result of 18 months of work among the NIST, GSA, ISIMC and the CIO Council to evaluate security controls and multiple Assessment and Authorization models for US Government Cloud Computing.  This represents the first step of the CIO's office in their overall goal to deploy secure cloud computing services for the US Federal Government, which could arguably instantiate the largest private cloud initiative in the world to date.

The intended Assessment and Authorization, A&A, is split into three main sections with the idea of creating a framework to provide A&A.  The US Government defines cloud computing using three service models; Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).  Within the US Federal Government standards are mandated by both the Federal Information Security Management Act, FISMA, and National Institute of Standards & Technology, NIST, special publications.  A main directive is to promote faster and more efficient acquisition of cloud computing systems through the use of a "authorize once, use many" approach to leveraging security authorizations as well as provide transparency and openness in government.  

Cloud Computing Security Requirements Baseline

The security controls presented align with NIST special publication 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Assessment and Authorization
  5. Configuration Management
  6. Contingency Planning
  7. Identification and Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical and Environmental Protection
  12. Personal Security
  13. Risk Assessment
  14. System and Services Acquisition
  15. System and Communications Protection
  16. System and Information Integrity

Continuous Monitoring 

Intent is to inject a dynamic continuous monitoring program into the System Development Life Cycle to determine if the security controls continue to be effective over time.  The process would include the ability to modify and change the monitoring program for the cloud computing environment.  Here a Cloud Service Provider is loosely defined and left open-ended leaving a possibility the federal government may be open to supporting public clouds from vendors like Amazon, Microsoft and  This seems to be a break from the executive overview at the beginning of the document where the focus is on the instantiation of a private cloud, but continues through the remainder of the document.

A set collection of reports and deliverables will be required of CSPs as follows with frequency:

  • Patch Management - Monthly
  • Verification of FDCC Compliance - Quarterly
  • Incident Response Plan - Annual
  • POAM Remediation - Quarterly
  • Change Control Process - Annual
  • Penetration Testing - Annual
  • IV&V of Controls - Semi-Annual
  • Scan to Verify Boundaries - Quarterly
  • System Configuration Management - Quarterly
  • FISMA Reporting - Quarterly
  • Update Documentation - Quarterly
  • Contingency Plan & Test Report - Annual
  • Separation of Duties Matrix - Annual
  • Information Security Awareness and Training - Annual

Potential Assessment & Authorization Approach

The CIO's office looks at cloud computing as an opportunity to break down the silos within the US Federal Government and create a common security baseline for shared systems.  This may be difficult as budgets are often allocated on an agency or initiative basis which discourages a shared cost structure.  If the CIO's office can overcome this hurdle, it would indeed be a major breakthrough advocating efficiency and cost savings on behalf of the US taxpayer.  This is why FedRAMP was created, whose objective is defined:

  • Ensure that information systems/services used government-wide have adequate information security
  • Eliminate duplication of effort and reduce risk management costs
  • Enable rapid and cost effective procurement of information systems/services for Federal Agencies


In summary, the document presents an exhaustive security and control plan for implementing and managing a cloud computing initiative.  All aspects of information management are defined and presented which could provide an excellent framework for adoption of cloud computing by the private sector and businesses worldwide.  This is a refreshing and solid first step in broad-base adoption of cloud computing by a government.

The proposal has been presented for public comment and submissions can be made through FedRAMP until midnight on December 2, 2010.

Rate this Article