HHS manages risk in using cloud through federal program
The Department of Health and Human Services has embraced a government-wide program that provides a standardized approach to the cloud through security assessment, authorization and continuous monitoring.
HHS Chief Information Officer Jose Arrieta told a House subcommittee on Wednesday that the agency sees the Federal Risk and Authorization Management Program (FedRAMP) as a “strategic enabler” and the “fulcrum” for its IT modernization efforts, noting that more than 60 FedRAMP-certified cloud technologies and services are in use across the department.
According to Arrieta, leveraging cloud technology through the FedRAMP process has resulted in greater data sharing, enhanced data security and financial savings. He said HHS was the first agency in 2013 to sponsor a cloud service provider through FedRAMP and in the past five years has authorized 14 cloud service providers and currently maintains authorizations for nine unique cloud offerings.
“We support the standardization and reuse model,” Arrieta testified. “This ‘do once, use many’ model has saved the department and its customers countless hours of security assessment time by being able to review and utilize existing documents that have already been approved by other agencies.”
Security is a central concern for HHS, he told lawmakers, as the agency is responsible for safeguarding the data of one in three Americans—including personally identifiable information and protected health information.
“Having a clear understanding of the risk associated with using a particular cloud technology—given the information HHS is charged to protect—is critical. The FedRAMP program enables this,” according to Arrieta’s testimony.
In addition, he said HHS uses a continuous monitoring approach to ensure that cloud technologies and systems maintain an acceptable level of risk and that cloud service provider’s responsibilities do not end when their FedRAMP authorization is issued.
“We meet with cloud service providers’ technical and security staff on a monthly basis to review results of regular security scans and tests to gauge progress against the remediation of cybersecurity issues or weaknesses,” testified Arrieta. “We conduct an annual review of each cloud service provider we sponsor. This review represents a comprehensive assessment of a subset of critical security controls through the use of vetted third-party testers.”
For those cloud service providers who fail to adequately address risk, he noted that HHS has an “escalation process” to ensure that risks are appropriately remediated within specific periods of time or else the agency’s authorizations for their cloud-based technologies and systems is revoked.
“Currently, there are few penalties for non-compliance if a cloud provider fails to follow FedRAMP requirements after being sponsored through the process,” added Arrieta. “HHS has developed its own process to handle these issues, but we would encourage standardized government-wide process for FedRAMP oversight and enforcement in such situations.”