The Office of Management and Budget has circulated draft revisions to the governmentwide policy governing information resources management that some agency executives say will add unnecessary layers of bureaucracy to an already lengthy and costly cloud certification process, FedScoop has learned.
The proposed revision to Circular A-130 — Management of Federal Information Resources — would give agency privacy offices separate and independent authority over the Federal Risk and Authorization Management Program, or FedRAMP, the government’s standard approach to cloud security assessment and authorization. Privacy officer approval would be separate from the current security assessment process and could force the final authorization request to be taken to the agency head, according to several officials who have reviewed the document.
Another proposed change allows for the separation of security and privacy control plans. Those plans can be contained in the same plan or in separate plans, according to officials.
“That by itself is problematic. There’s a designated authorizing authority or there’s not,” said an official who’s seen the proposed changes but was not authorized to comment on them publicly. “You’re making the security and privacy bifurcation even worse. It should just say the authorizing authority has to take into consideration security and privacy and there should be one plan that covers both.”
The practical impact of these proposed changes on the FedRAMP process remains unclear. But at least two agency officials familiar with the revisions told FedScoop the idea of taking a cloud certification to a Cabinet secretary for final approval was absurd. “Yeah right,” said one agency official, laughing. “OMB just doesn’t get it.”
Under the FedRAMP process, agencies are responsible for conducting privacy assessments once the data that is being moved to the cloud has been identified. But in interviews officials said even the privacy committee of the CIO Council has been slow to move on critical issues, taking nearly six months to decide which privacy controls should be the responsibility of the cloud provider and which should be the responsibility of the agency.
According to the agency officials interviewed by FedScoop, the technical aspects of agency privacy controls can already be mapped to the National Institute of Standards and Technology 800-53 baseline security controls. What is missing, the officials said, is a privacy impact assessment and policies governing agency procedures for when data is breached.
“Privacy should definitely be part of the process, and OMB should clarify that it should be,” said an official who reviewed the draft revisions. “But by creating a dual lane structure with two authorizing officials rather than one could lead to a more complex, time-consuming and costly process.”
The revised OMB Circular A-130 covering management requirements for moving federal data to the cloud is due to be released by December.