Documente Academic
Documente Profesional
Documente Cultură
BRIEF
Cloud Security for
Federal Agencies
Achieving greater efficiency and better security
through federally certified cloud services
This paper is intended to help federal agency executives to better address federal
security and privacy requirements when choosing cloud computing services. We
explain how using a cloud provider that is certified through the Federal Risk and “It is not sufficient to
Authorization Management Program (FedRAMP) and the General Services consider only the potential
Administration’s Blanket Purchase Agreement (BPA) for Infrastructure as a Service value of moving to cloud
(IaaS) offers agencies real potential for improving efficiency and risk management services. Agencies should
in establishing their IT infrastructure in the cloud. We also delineate the FedRAMP make risk-based decisions
lines of responsibility between agencies and cloud providers, and provide guidance which carefully consider the
for evaluating cloud providers to maximize benefits and minimize delivery risk. readiness of commercial
or government providers to
A critical issue, but not a barrier fulfill their Federal needs.”
–Vivek Kundra,
Cloud computing offers federal agencies a powerful means to reduce costs, deliver U.S. Chief Information Officer
more timely services, and significantly reduce burdens on internal IT resources. Federal Cloud
While the promised value is compelling, agency managers cite security and data Computing Strategy
privacy concerns as primary reasons for not migrating specific systems to the cloud. February 8, 2011
They are concerned about the loss of control from the multi-tenant nature of cloud
computing which requires rigorous controls and continuous monitoring to prevent
potential data leakage and unauthorized access. They also require visibility into
potential security incidents and must be able to respond to security audit findings
and obtain support for investigations.
As a result, security and data privacy were top priorities the General Services
Administration’s (GSA’s) Federal Cloud Computing Initiative sought to address to
facilitate cloud adoption. GSA has collaborated with the Federal Chief Information
Officer (CIO), the National Institute of Science and Technology (NIST), the CIO
Council, and Senior Agency Information Security Officers to build a common cloud
security Assessment and Authorization (A&A) framework called the Federal Risk
Authorization Management Program (FedRAMP). GSA has also required cloud
providers on its Blanket Purchase Agreement (BPA) for Infrastructure as a Service
(IaaS) to receive A&A to support systems requiring Low or Moderate Risk Impact
environments. In addition, these vendors must pass stringent National Agency
Checks with Investigations according to HSPD-12 criteria. Prior to these initiatives,
early movers to the cloud had to take on undue risk to meet desired timeframes.
Agencies can fast track their realization of cloud savings and other benefits while simultaneously
addressing the security and privacy challenges highlighted by NIST, by leveraging GSA’s IaaS BPA.
By choosing cloud providers on the GSA BPA for IaaS, agencies can confidently achieve:
✓ Data ownership and protection approaches clearly stating that agencies own their data
and spelling out mutually agreed processes the agency and cloud provider will follow for
Freedom of Information Act or other data requests
✓ Clear scope of security models and environments that are pre-tested by the government
to meet FISMA Moderate Risk Impact requirements and provide continuous monitoring.
Agencies with higher security requirements can work with certified cloud providers to
design and deploy systems that meet more stringent specifications.
✓ Transparency into what security features are included in a cloud bid, and what additional
services are available or desired by the agency to meet its specific needs
2
✓ Ability to solve many security challenges more efficiently than internal solutions by leveraging
the significant investments made by providers to deliver superior controls and enterprise-
class production environments that are pre-tested and certified by the government
✓ Savings in time and money by using existing security authorizations, eliminating the need
to visit data centers and pursue and justify separate infrastructure accreditations (typically
40% of the A&A level of effort)
“Ensuring data and systems security is one of the biggest and most important challenges
for federal agencies moving to the cloud. FedRAMP’s uniform set of security authorizations can
eliminate the need for each agency to conduct duplicative, time-consuming, costly security reviews.” 1
–David McClure, GSA’s Associate Administrator for Citizen Services and Innovative Technologies
1 “Guidelines would speed certification of cloud products, services”, November 2, 2010, Government Computer News
High
12%
Low
40% 3
Moderate
48%
Source: Fiscal Year 2009 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002
• 40% of categorized systems are classified as Low Risk Impact. Examples include public-facing
websites with non-sensitive data as well as applications such as inventory systems. Systems with
public data that is subject to transparency requirements have been among the first to leverage the
cloud. For example, the Recovery Accountability and Transparency Board deployed Recovery.gov in
the cloud, and NASA has also leveraged the cloud for public information. When considering the public
cloud for such systems, agencies should ensure that cloud providers can provide a security level that
prevents data tampering or disruption of service.
• 48% of categorized systems are classified as Moderate Risk Impact. These include systems
supporting operations and those processing sensitive data such as personally identifiable information
(PII), Confidential Business Information (CBI), and personal health information. Federal financial
systems that process budget and procurement information, purchase card numbers, banking
information for payments, or Social Security Numbers would be categorized as Moderate Risk
Impact. Often, such financial systems are better suited to Virtual Private Clouds for which agencies
can dictate their required levels of security. Virtual Private Clouds give agencies exclusive use of
computing infrastructure and allow them to prescribe specific security measures without requiring
infrastructure investment.
For agencies preferring that their cloud provider perform continuous monitoring, backup and restore
data, and/or guarantee that data centers are located on U.S. soil, certified providers on GSA’s BPA for
IaaS will meet these requirements.
Major Major
Application Application
Operating Operating
System System
Boundary
Hypervisor Hypervisor
Cloud
Service
Provider
Responsibility 5
Physical Physical
Note: Agencies must provide the Disaster Recovery (DR) testing and planning for their own cloud-based
applications. This is unlike a typical managed hosting offering that includes the recovery plans and test-
ing. As a result, agencies may require DR services beyond the cloud offering to complete their needs.
Next steps
CGI offers a disciplined transition process to get you to the cloud with confidence. We are one of the
12 awardees under GSA’s BPA for Infrastructure as a Service. One of our expert executive consultants
also chairs TechAmerica’s public sector task group which is providing industry input into FedRAMP.
CGI’s cloud offerings compel the development of well-managed cloud initiatives because processes,
governance, security and compliance are all embedded in our solutions.
In addition, as a full-service cloud and security partner, CGI helps protect operations at the infrastruc-
ture and data layers and provides advisory services designed to assess and strengthen security
strategies. We offer the full range of security services, including security governance and engineering,
cybersecurity and managed security services (e.g. program, configuration, incident and event manage-
ment and business continuity services). Our certified, accredited and security-cleared experts use
proven industry best practices such as ITIL and SANS, continuous monitoring, real-time reporting and
immediate action on suspicious activity.
To learn how to find greater security in the cloud for your agency, or to talk to a CGI cloud expert
about your specific situation, contact your CGI Federal program manager or visit us at
www.cgi.com/federalcloud.
About CGI
A global leader in IT, business process and professional services, CGI partners with federal agencies
to provide end-to-end solutions for defense, civilian and intelligence missions. For 35 years, we have
delivered quality services to help clients achieve results at every stage of the program, product, and
business lifecycle. We deliver end-to-end solutions in application and technology management,
systems integration and consulting, business process management and services, advanced
engineering and technology services, and operational support services. Our proven capabilities in
high-demand areas include cloud, cybersecurity, biometrics, citizen services, data exchange, health
IT and energy/environment. CGI has 31,000 employees in 125+ offices worldwide.