FedRAMP’s role in making cloud services safer also helps agencies offset a number of the complexity in their IT operations, says NIST’s Ron Ross.

If you spend any time hearing what government IT executives are talking about in Washington nowadays — besides the NSA’s data-collection practices and what everyone will need to have learned from HealthCare.gov — it’s hard to disregard at the least some discussion about secure cloud computing and a federal program called FedRAMP.

Talk to IT executives outside of Washington, however, and it’s evident that discussions about FedRAMP  and its impact on cloud service providers are reaching far beyond the Beltway and rippling in the course of the boardrooms of IT services providers. As Amazon Web Services VP Teresa Carlson said in a contemporary interview: “Cloud companies can not perform any [government] procurement or award without having the ability to achieve the FedRAMP standards.”

For those new to the discussion, FedRAMP is a program cooked up by a gaggle of savvy bureaucrats who grasped the potential for cloud computing, but additionally understood that, without assist in overcoming the government’s own red tape, federal agencies faced a protracted road to cloud adoption. The explanation stems from the truth that every federal agency must assess and certify the safety risks of its IT systems. Cloud computing added a brand new layer of complexity to the government’s security requirements and procurement contracts.

[Read why Defense department CIO Teri Takai believes FedRAMP helps everyone within the cloud computing industry.]

How FedRAMP — the Federal Risk Authorization and Management Program — succeeded in greasing the policy skids for agencies and making a set of baseline security standards now gaining attention from cloud computing providers, or even a few of their commercial customers, is the topic of an InformationWeek Government special report released this week.

Ron Ross, one among FedRAMP’s architects from the National Institute of Standards and Technology, believes FedRAMP is very important to agencies and cloud computing service providers for a number of reasons.

“It sets very clear expectations on what security controls are needed” to attenuate an enterprise’s IT security risks, Ross says. He points to FedRAMP’s insistence on third-party assessment organizations to “validate that cloud service providers have implemented those controls. That’s good for industry and it’s good for federal agencies,” he says.

Ross also sees a better good within the way FedRAMP helps support cloud computing and offsets IT complexity. “The more we will address our complexity problem by moving as much IT as is acceptable to the cloud, the more that frees up our remaining resources. That’s an excellent section of the equation in attempting to lock down our critical infrastructure,” he argues.

While federal agencies placed down payments on $17 billion worth of cloud computing projects this past fiscal year, FedRAMP officials know they should do more to draw a much wider range of cloud services — and to cajole agencies to take advantage of FedRAMP-certified services. 

More should also be done to coach federal officials concerning the potential savings and false promises that include cloud computing. That’s one explanation for the announcement, made last week, by Congressmen Darrell Issa (R-Calif.) and Gerry Connolly (D-Va.) that they and a collection of industry supporters had agreed to launch the Cloud Computing Caucus Advisory Group, which they hope will enlighten the discussion on cloud computing.

But this much is obvious: FedRAMP is a program more people can be talking about, and never just in Washington.

Wyatt Kash is editor of InformationWeek Government. 

Metrics, data classification, governance, compliance — and your vendors — are all a part of the chance management equation. Discover more in this Dark Reading report, The Risky Business Of Managing Risk. (Free registration required.)