Many companies, small and large, are moving from internally dedicated hardware and enterprise servers to shared servers hosted by other organizations. This utility is known as “the cloud” and these services require very high-capacity servers and networks provided by cloud service providers (CSP). U.S. Federal agencies are also moving to the cloud to maximize efficiencies and to reduce ongoing infrastructure costs.
However, a recently released Inspectors General report on the integrity of cloud computing found that that a majority of cloud systems reviewed did not meet the Federal Risk Authorization and Management Program (FedRAMP) compliance requirements as of June 5, 2014, even though the requirement was announced on December 8, 2011. As a result, all Federal agencies must now authorize IT service at the agency level, and Office of Management and Budget policy dictates agencies must use FedRAMP when authorizing cloud services.
According to Derrick Nixon, director of Cybersecurity Programs at Honeywell, “FedRAMP has three process areas that allow government agencies to authorize cloud services:
“1. The security assessment process uses a standardized set of requirements in accordance with Federal Information Security Management Act of 2002 using a baseline set of National Institute of Standards and Technology 800-53 controls to grant security authorizations.
“2. Federal agencies can view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.
“3. Once an authorization is granted, a current and ongoing assessment and authorization of the cloud services provider must occur in order to maintain the security authorization. To accomplish this aspect, FedRAMP accredits third party assessors through a conformity assessment process. These accredited assessors are known as Third Party Assessment Organizations (3PAO). A 3PAO is essentially the cloud provider auditor, performing initial and periodic assessments per FedRAMP requirements.”
Honeywell is an accredited 3PAO, and can assist the CSPs that want to provide cloud services to Federal agencies during the assessment and authorization phases of the process. Nixon said, “Honeywell stands apart as an industry leader with innovative techniques and a workforce experienced with satisfying government standards. And our 3PAO accreditation status, experienced staff, and security assessment tools enable us to provide the highest quality FedRAMP assessment services to CSPs.” Honeywell’s 3PAO services include:
- The Preparation or Document Phase reviews the CSP’s baseline security controls and documents to ensure compliance with all mandated requirements and then converts these documents into the mandatory FedRAMP format.
- During the Independent Assessment and Authorization Phase, we perform our independent assessment and work with the CSP to attain approval.
- Honeywell will then facilitate the required continuous monitoring and provide reports to the FedRAMP program management office.
“We help our customers with the assessment, close any security holes and to qualify to provide cloud services,” said Nixon. “And Honeywell ultimately makes the Federal clouds more secure.”
For more information download "Securing The Cloud" white paper.