White House proposes common security requirements for cloud computing

The Obama Administration proposed a common set of security requirements for cloud computing that all federal agencies and contractors could share.

The move is intended to expedite the transition to universal Web-based services by eliminating the need for agencies to assess and authorize every information technology product. During the next decade, the White House wants agencies to shift their IT operations to the cloud -- the collective term for software, servers and file storage that users access online on a subscription basis -- instead of managing and owning individual, in-house infrastructures. The new blanket specifications, referred to as the Federal Risk and Authorization Management Program (FedRAMP), are designed to allow contractors and one agency to evaluate and sign off on security controls and then let every other agency use the same template. "Completing the security assessment and authorization process separately by each customer is redundant," the 90-page proposal stated. A "governmentwide risk and authorization program will promote faster and cost-effective acquisition of cloud computing systems by using an 'authorize once, use many' approach to leveraging security authorizations." Under the guidelines, all the security requirements, processes and forms will be available to every federal agency as well as vendors. The document said this decision epitomizes the administration's commitment to transparency. "Private industry will also finally have the full picture of what a security authorization will entail prior to being in a contractual relationship with an agency," the proposed rules stated.

GSA and the Chief Information Officers Council are encouraging the public to comment on the templates, guides, common security requirements and other aspects of the program by Dec. 3.