Government-wide Cloud Security Baseline Gets an Update

Published: June 11, 2014

Acquisition ReformCloud ComputingDOCCybersecurityDigital GovernmentGSA

The government-wide program that provides a standardized approach for cloud security assessment, authorization, and continuous monitoring for cloud products and services released the first major update to the security controls since its launch.

Managed by the General Services Administration (GSA), the Federal Risk and Authorization Management Program (FedRAMP) leveraged guidance from the National Institute of Standards and Technology (NIST) along with the Federal Information Security Management Act (FISMA) and input from government stakeholders when it established an initial set of security controls. In particular, FedRAMP leveraged guidance from NIST’s Special Publication 800-53, which completed its fourth revision in April 2013 and expanded the catalog of security controls from 600 to over 850. Additional controls from the expanded catalog were selected by the FedRAMP Joint Authorization Board (JAB) to address the unique risks of cloud computing environments, such as multi-tenancy, visibility, shared resource pooling, and trust. These security controls have been added to the FedRAMP baseline, along with guidance and requirements around the controls.

In addition to the update to the baseline security controls, FedRAMP also released new templates for cloud service providers submitting solutions for review. As we previously covered, these templates must be used by any providers that are not currently in contract discussions with a federal agency, that are in early stages of applying to FedRAMP or in readiness review process. While vendors that still in the “Initiation” phase are expected to implement the new baseline prior to receiving authorization, service providers in “In Process” and “Continuous Monitoring” categories have one year to comply with the new baseline, respectively from their authorization date or most recent assessment. The expectation, then, is for all FedRAMP CSPs to comply with the new baseline in 2015. Since agency compliance with FedRAMP is being assessed through PortfolioStat and other existing processes, it’s unlikely that any measure of progress will be available before September (after PortfolioStat sessions are completed).

In the meantime, another development in the FedRAMP program is drawing attention through the work with GSA’s Federal Cloud Credential Identity Exchange (FCCX). The exchange will draw on partnerships with agencies, like the U.S. Postal Service and NIST. More information about the updates to the FedRAMP program and its security control will be available through upcoming GSA webinars scheduled for the week of June 16 through DigitalGov University.