California Is 1st State to Pursue FedRAMP Certification, CIO Says

The state of California has applied for the federal government's cybersecurity certification for cloud computing as it continues to build out the state's private cloud, state CIO Carlos Ramos told a legislative oversight panel last week.

"For our own cloud environment, we're in the process of asking the feds to certify us for FedRAMP certification. We're the first state in the nation to do that," Ramos said.

The Federal Risk and Authorization Management Program (FedRAMP) is "a governmentwide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services," according to the program's website.

More than 80 percent of federal cloud implementations are going through the FedRAMP approval process, according to one estimate.

Ramos said FedRAMP should improve the state's cybersecurity, although he said applying is a process. He said because California is the first state to pursue FedRAMP, the federal government has had to figure out how to grant the certification.

Ramos noted CalCloud, the state's private cloud, adheres to several well-known cybersecurity standards, such as HIPAA, Social Security Administration, FIPS, IRS 1075, Payment Card Industry (PCI), CJIS, NIST and FISMA.

But the state's measures extend beyond certifications.

"We've taken sort of a layered approach to information security, which includes not only building the system to standards and making sure our offerings from our vendor-hosted subscription services conform to those standards, but investment in a number of different technologies," Ramos said.

He mentioned the state is investing in firewalls, incident and event management, vulnerability scanning, physical safeguards, network intrusion detection, and other technologies.

FedRAMP explains that it authorizes cloud systems in a three step process:

1. Security Assessment: The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations.
2. Leveraging and Authorization: Federal agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.
3. Ongoing Assessment & Authorization: Once an authorization is granted, ongoing assessment and authorization activities must be completed to maintain the security authorization.