According to articles posted by nexgov ("White House set to complete security standards for cloud computing services next year") and ExecutiveGov ("Kundra: Expect Formal Federal Cloud Security Standards in 6 Months"), through the FedRAMP program, the federal government could seek to publish the final FedRAMP publication sometime this summer.
But is industry ready to take on the responsibility of securing government data? Do the members of the Joint Authorization Board (GSA, DHS, DOD, and the sponsoring agency) have enough information to fully qualify the risk of moving to the cloud as part of the risk-based decision for authorizing Cloud Service Providers? What gaps exist within the FedRAMP (DRAFT) and can those gaps be adequately addressed within the next 6 months or so?
The importance of the success of FedRAMP must not be underscored that it will support a much larger purpose - embracement of the "Cloud-first" policy. As published by the Federal Times in an article title "Administration lays out five-part IT improvement plan" (among the many similar articles), the "The Office of Management and Budget has set an ambitious six-month timetable for jump-starting new information technology reforms, which include ... adoption of a "cloud first" policy for IT projects ..." It further states: "By April, he wants agencies to implement "cloud-first" policies when considering IT purchases."
What the specifics of the "cloud-first" policy are and how security will play a roll will be further outlined as the "Federal CIO Vivek Kundra will release a more detailed execution plan on Dec. 9." However, as paralleled across the industry, migrating to the "Cloud" is not just about the adoption of technology, but the protection of the data and the assurance that data classification and information management/governance are key parts of the senior leadership's decision on what would be considered applicable under the "cloud-first" policy.