Rizzo discusses FedRAMP’s evolution, need for PI security at DICE East
The Federal Risk and Authorization Management Program (FedRAMP) has worked well so far, but more efforts remain to ensure data centers are physically secure as the federal government moves its vital and sensitive data to the cloud supported by the private sector.
That was the message at the Bisnow Datacenter Investment Conference and Expo East 2022 in Reston, Virginia. On May 24, CyrusOne Public Sector Vice President Anthony Rizzo joined a DICE East panel called “As the U.S. Federal Government Continues its Move to the Cloud, Are You FedRAMP Ready?” Panel members also included Oracle National Security Group Vice President of Cloud Operations & Engineering Steve Derr, Intel Corp. Americas Chief Data Scientist Melvin Greer and MITRE President Katy Warren.
The U.S. Government Services Agency defines FedRAMP as “a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.” It “empowers agencies to use modern cloud technologies, with emphasis on security and protection of federal information, and helps accelerate the adoption of secure, cloud solutions.”
SecureIT President and CEO David Trout moderated and began the panel by explaining FedRAMP has four constituents: cloud service providers that get FedRAMP-authorized; third-party assessment organizations (3PAOs); federal agencies that consume the cloud services; and the FedRAMP program management office that runs the programs, sets the guidelines, develops the standards and credits the 3PAOs.
To get FedRAMP authorization, a cloud-service provider needs a federal agency sponsor. Data center companies like CyrusOne must undergo a security assessment to get that agency sponsor and allow it to provide cloud services to federal agencies. And that’s where Rizzo comes in, helping CyrusOne with its role in FedRAMP to provide high-side and low-side data centers for cloud service providers (CSPs) as it scales its public sector business.
Trout asked Rizzo what he sees in terms of the security and compliance requirements of CyrusOne customers and potential customers, and has FedRAMP been on CyrusOne’s radar? Rizzo clarified that FedRAMP compliance has nothing to do with the data center itself – it’s the cloud component.
“Now, we have to build a secure environment to host low- and high-side FedRAMP clouds,” Rizzo said. “The federal government has made the commitment to essentially outsource co-location data centers and cloud services and the as-a-service programs to us as an industry, and that’s a very good thing, from the CSP to the data center owner operator to the contractors that work and support the builds and support the network in the cloud. That’s not anything that we’ve ever been asked to provide services for in the past.”
He recalled responding in 2005 and 2006 to market surveys and RFIs around singularity, ICDC that pointed toward consolidated efforts for the federal government to come to co-location facilities. The fruits of those efforts are evident in 2022, according to Rizzo.
“The number of opportunities over the next decade are going to be phenomenal for all of us,” Rizzo said. “From a compliance and cyber perspective, if you look at the system security plan for FedRAMP, there are only two items that a co-location provider or the facility that it pertains to, and that’s the personnel security, PS, and the physical and environmental security, PE. That was very surprising to me, because if you look at a data center, I should think the physical infrastructure, PI, itself should be part of that process.”
He added that the automation systems, the building management systems, the DSIM, intelligent battery monitoring, and the software that resides on the vendors that power and cool the data center and data halls are vulnerable and open to a cyber-attack, yet it’s not currently part of the FedRAMP authorization.
“It’s something they need to look at and entertain because you can hack into that,” he said. “We must be cognizant of that. There are certain things that we do, like follow NIST SP 800-82. But as FedRAMP evolves, I think that’s something that they’ll have to put in, the physical infrastructure piece, because the migration for the government to industry to support their all the as a service and cloud programs is not going away.”
FedRAMP will need to continue its work to establish PS and PE infrastructure compliance needs and standards. But CyrusOne already measures up and complies with all the PS and PE security standards, and Rizzo remains dedicated solely to its public sector work.
Trout agreed PS and PE are areas where FedRAMP must evolve, with 3PAOs like SecureIT eventually folding in those assessments in its work.
“If you look at the compliance that we look at now as a facility, it’s around directive 705, which SCIF is what everyone wants to talk about now,” Rizzo added. “If you look at what they go through from a FedRAMP authorization process for low and high, to go through an ICD 705 accreditation is a very stringent process that starts at design through construction. That’s something we must follow, especially as we’ve never had the government in years past take high-side programs and move them to third-party industry. So again, we must be cognizant and give them the confidence we can handle that, and we’ll see it continue to grow.”
Greer noted that at present, the federal government’s mission capability increases as its IT budget decreases. That’s why FedRAMP is so important for security and security controls and authorization that standardizes the services and the way they are secured and creates a common language for security. FedRAMP makes it possible to interoperate and integrate and is foundational to the way government operates.
“That’s really a key point because this isn’t about leasing data center space and selling megawatts,” Rizzo said. “There’s a soldier or analyst in the field who needs access to the data that’s rolling through our facilities, and if they don’t have access to that data, there’s national security implications for us as we sit and exist here today. So, this is well beyond who can build a data center quicker and faster. It’s about access to that data, both CONUS and OCONUS.”