This isn’t Autonomic Resources’ first rodeo.
The cloud service provider (CSP) earned FedRAMP approval in 2012, making it the first CSP to earn compliance from FedRAMP and the first to earn compliance from the Defense Information Systems Agency (DISA). Three weeks ago, the company earned the Joint Authorization Board’s provisional authority to operate for its Platform-as-a-Service (PaaS) solution.
FedRAMP411 caught up with John Keese, director of government cloud solutions, to find out more.
Computer Sciences Corp. purchased Autonomic Resources in February for an undisclosed sum. The acquisition of Autonomic Resources is intended to help CSC gain traction in the public-sector cloud market.
Authorization Date:
Dec. 26, 2012 (ARC-P)
Oct. 9, 2015 (ARCWRX)
Deployment Model:
Autonomic Resources Cloud Platform (ARC-P)–Government Community, Private, Hybrid
ARCWRX–Government Community Platform-as-a-Service
Impact Level:
Moderate (both)
Cloud category:
ARC-P–Infrastructure-as-a-Service
ARCWRX–Platform-as-a-Service, leveraging ARC-P Infrastructure-as-a-Service
ATO path:
JAB
Q&A
FedRAMP411: Tell us about the ARCWRX product.
Keese: The ARCWRX Platform-as-a-Service (PaaS) offering, built on RedHat OpenShift, provides an application development platform within a multi-tenant virtual environment leveraging the ARC-P Infrastructure-as-a-Service (IaaS) system. Provisioning, automatic scaling, and management of application containers are inherent platform features. The ARCWRX platform allows customer agency and mission developers to design, build, publish, manage, and scale government applications in a secure virtual container run-time environment utilizing programming languages such as Java, PHP, Ruby, Node.js, and Perl with database options including MongoDb, MySQL, and PostgreSQL.
FedRAMP411: Tell us about the ARC-P product.
Keese: ARC-P GCC provides agencies and government contractors physical or virtual machines in a shared government-only cloud stack. ARC-P IaaS supplies elastic compute resources on demand from ARC-P compute pools installed in our CONUS-only data centers. ARC-P GPC offers the same features as ARC-P GCC with additional logical and physical separation for private cloud environments that require a dedicated hardware stack. ARC-P SDC (Secure Data Center) service provides agencies and government contractors secure IT system co-location services to assist with federal data center consolidation mandates along with their cloud-first requirements. ARC-P SDC allows government customers to co-locate their non-virtualized and legacy IT systems, as well as IT systems and private cloud stacks in which an agency or government contractor wishes to develop, deploy, and manage the full IT stack within the ARC-P FedRAMP JAB-authorized Security Authorization Boundary, with the ability to leverage and inherit those ARC-P security controls that apply specifically to the physical environment and physical security of our facilities.
FedRAMP411: Tell us about your road to FedRAMP compliance. How long did it take to become FedRAMP compliant, and why did you choose the JAB route?
Keese: We applied for JAB processing in May 2014. We started actual processing in October 2014. We choose JAB route to allow the best security authorization available and to allow best path for DoD SRG accreditation as well as prepare our offering for FedRAMP High baseline.
FedRAMP411: What guidance would you offer to others regarding the JAB process?
Keese:
1) Have a dedicated team of security and technical staff responsible for the FedRAMP authorization process.
2) Properly do a gap analysis between your controls you may have in place, and the FedRAMP controls required.
3) Prepare to assume your controls are not up to standards, and your documentation is not what it will need to be to get through process.
4) Engage with a cloud service provider (CSP) or Third Party Assessment Organization (3PAO) that has been through process and understands its challenges, partner with those who have accreditations in place, versus trying to go on your own.
5) Have committed management and staff in meeting the FedRAMP standards and accreditation requirements.
6) Be prepared for continuous monitoring–it’s the ongoing compliance that will really be the hard part.
FedRAMP411: What do you know now that you wish you knew before the certification process?
Keese: Put a project manager in place for the effort from the beginning, and run it as a fully managed project with proper time targets and milestones.
FedRAMP411: Why do you think some CSPs move faster through the certification process than others?
Keese: Because they have committed to process, are willing to “partner” with FedRAMP PMO, and don’t treat the process as hostile. It is voluntary, treat it as such. Assure staff understand the importance of documentation and treat security very seriously. Don’t try to shortcut the process, or allow management to influence into bad choices.
FedRAMP411: Which 3PAO did you work with?
Keese: Veris. They are experienced professionals with a track record of bringing CSPs through the FedRAMP process.
FedRAMP411: Based on your recent experience, how can the FedRAMP process be improved overall?
Keese: Assure agencies understand the rigor of becoming FedRAMP certified and that the process often exceeds agency security rigors.