EPA's Transition to the CloudEnvironmental Protection Agency Leverages FedRAMP Process
The Environmental Protection Agency earlier this year transitioned more than 22,000 e-mail users to Office 365 for Government, a cloud service from Microsoft that hosts productivity applications.
I wanted to interview an EPA IT security official to get his or her thoughts on cloud computing, believing the lessons learned from the Office 365 project as well as other initiatives would be of interest to our readers.
The most cost-efficient timing for a cloud move is to align with application or platform refresh cycles.
It's not unusual for a government agency or business to decline our request, which is what the EPA did, although many other organizations do grant interviews. However, the EPA agreed to answer questions submitted by e-mail. Typically, e-mail responses to questions have a name behind them. Not so this time; the agency requested that answers be attributed to EPA. So be it, at least in this one instance.
What's on the Cloud?
Information Security Media Group: What types of data, applications and infrastructure are being moved to the cloud by the EPA?
EPA: EPA's initial focus on cloud services has been in the areas of infrastructure services and productivity platforms. EPA's first three cloud moves established: Managed Trusted Internet Connection Services [a federal initiative to enhance security by limiting gateways to the Internet] through AT&T for EPA's edge security services; enterprise call center services through CGI for technical support and call management; and enterprise web conferencing through Connect Solutions.
In February, we transitioned over 22,000 e-mail users to a cloud solution engineered by Lockheed Martin and Microsoft. With the Lockheed/Microsoft solution, EPA establishes an enterprise e-mail and collaboration solution based on Office 365, Lync and SharePoint. EPA also awarded a contract with CGI for cloud-based infrastructure-as-a-service platforms to support custom applications and we are working with CGI to integrate this offering to support our shared services application platforms.
Data, Apps Sensitivity
ISMG: What types of data, applications and infrastructure would the EPA not move to the cloud?
EPA: EPA has not made a class-based determination to exclude data or applications from cloud services. Cloud services and security are evolving rapidly. Cloud suitability must be assessed in the specific context of the application and consider data sensitivity, the specific control framework offered by a cloud solution and the cost benefit of the solution. However, our initial focus has been on low and moderate sensitivity applications.
ISMG: Who's involved at the EPA in deciding what data, applications and infrastructure should or should not be moved to the cloud?
Application suitability assessment is a collaborative effort involving our application owners, infrastructure operations teams, information security officials and authorizing officials.
Assessing Cloud Security
ISMG: What security measures do you take before, during and after moving data, applications and infrastructure to the cloud?
EPA: To scope the answer, we'll consider this question from the perspective of focusing on the cloud provider.
Before we move information or obtain services, we verify the provider can meet our information security control requirements. To do that, we leverage provisional authorizations granted by the Joint Authorization Board under FedRAMP [the Federal Risk and Authorization Management Program is a federal initiative to vet the security provided by cloud providers] as well as authorizations supported by security assessment packages that meet FedRAMP requirements as much as possible.
We review the packages to ensure we understand what controls the provider has in place, how the controls operate, if they have been validated as working properly by a third-party assessor and what known weaknesses exist and their residual risks. Any risks identified from this review are combined with any risks identified in associated EPA or EPA contracted systems to determine if the overall residual risks are acceptable in order to obtain an EPA authorization or if mitigation work is required. Where FedRAMP documentation does not exist, we follow the FedRAMP process to document and implement as necessary and validate controls to obtain an EPA authorization.
But in essence, we ensure the methods used - e.g., network or portable media transfer to move EPA information - protect it appropriately.
After the move, we again follow the FedRAMP process and guides to require providers to give us control status information, which includes, for example, periodic reports, annual control validations, incident and data disposal reports. EPA follows the same National Institute of Standards and Technology and Federal Information Security Management Act processes for cloud as we do for any general support system or application.
Timing the Move to the Cloud
ISMG: How much does it cost the agency to prepare to move data, applications and/or infrastructure to the cloud and what would be the return on the investment?
EPA: The most cost-efficient timing for a cloud move is to align with application or platform refresh cycles. Return on investment must be assessed in the context of the specific application or platform.
ISMG: FedRAMP has begun to approve cloud vendors. How does that affect the way EPA is moving to the cloud?
EPA: FedRAMP should simplify the authorization process and produce both time and cost efficiencies. EPA has not yet completed a FedRAMP-based cloud service authorization.