The Federal Government is working harder than ever to tighten budgets and spend tax dollars where they count the most. There is a huge push in the Office of Management and Budget (OMB) to ensure that investments in Government Technology are cost effective and implemented properly. OMB released a report last month outlining their authority to enforce higher standards when it comes to Government Cyber Security investments. You can download the full report here: “Updating U.S. Federal Cybersecurity Policy and Guidance; Spending Scarce Taxpayer Dollars on Security Programs that Work.“
The report’s main recommendation is for the continuous monitoring of IT Investments, and for good reason. In 2009, the State Department became the first government agency to implement continuous monitoring efforts. Within one year, their risk rating on 85,000 computers worldwide dropped by 90%.
OMB’s recommendation for continuous monitoring of IT investments means that organizations must focus more on Capital Planning and Investment Control (CPIC), and take note of a new development; FedRAMP.
At Offspring Solutions, we provide significant expertise in working with agencies on CPIC initiatives. We make sure that our clients leverage the right tools to function at peak efficiency, whilst meeting certain set standards. It’s critical that standards are continuously met in the world of Government IT, as the landscape is always changing and sensitive material is at stake.
CPIC is a structured approach to managing investments in Information Technology. First brought up in the Clinger-Cohen Act of 1996, it is a Federal law that is designed to improve the way the government acquires and uses Information Technology. CPIC ensures that all IT investments align with the EPA mission and support business needs while minimizing risks and maximizing returns.
The three major steps in the CPIC process are selection, control and evaluation. Starting with selection, CPIC experts will select an IT initiative to research and fund. Next, it is time to monitor the initiative’s process and compare it to costs, schedule, performance and expected goals. Finally, when analyzing the initiative’s results, CPIC experts will first assess the initiative’s impact on the strategic performance. Next, they identify any modifications that might be needed and, finally, revisions to the initial investment are made as needed.
CPIC Evolved: FedRAMP
In early June 2012 the government launched the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a government program that provides a standardized approach to security assessment, authorization and monitoring of cloud products and services. In essence, FedRAMP was created to monitor cloud products and services to make sure they meet and continue to meet baseline requirements in regards to security. Participation in FedRAMP is mandatory for any organization that offers cloud products or services to Government Agencies. This is a big development, as government agencies will only leverage cloud services from FedRAMP-approved vendors.
Why FedRAMP? Government agencies have already adopted cloud computing practices, but there have been too many inconsistencies across the board. There must be set standards for security best practices when it comes to leveraging the Cloud. Below is a bit of insight into the three process areas through which FedRAMP will allow agencies to authorize cloud service:
1. Security Assessment:
Security Authorizations are granted based on requirements set in accordance with the Federal Information Security Monitoring Act (FISMA) using a baseline set of NIST 800-53 controls. The process begins with the Agency or Cloud Service Provider (CSP) initiating a request by applying to FedRAMP to initiate an assessment of service. After the CSP has implemented the required security controls, everything must be documented in a System Security Plan (SSP). After the SSP is approved, a Third Party Assessment Organization is contracted to independently test the effectiveness of the CSP’s security control practices. After the test, the Joint Authorization Board (JAB) reviews all documents and decides whether or not a Provisional Authorization is to be granted.
2. Leveraging an Authorization:
The Project Management Office (PMO) will maintain a repository of FedRAMP Provisional Authorizations granted by the JAB Authority, and other security assessment packages meeting FedRAMP requirements for agencies to review. Agencies can use their Provisional Authorizations to grant their own ATO, and add additional controls to the baseline as needed.
3. Ongoing Assessment and Authorization:
Continuous monitoring ensures that all security controls implemented during the security authorization stay in place and remain effective. This is an integral part of keeping pace with technological developments. Ongoing Assessment and Authorization is done through three steps: Operational Visibility, Change Control Process, and Incident Response. These three key areas use automated data feeds and reports to keep and eye on things while modifying control if needed, and also focusing on managing new potential risks and vulnerabilities.
We are very familiar with FedRAMP and Government approved processes here at Offspring Solutions. We have years of real world experience with implementing IT Solutions in the Federal landscape. As your organization starts to plan for the future, let us help. We have the experience and proven track record to help your company select the best path towards modernization. Give Offspring Solutions a call today at (703) 277-7752 to discuss your organization’s next steps.