Transition Plan Released for Cloud Security Baseline Update

Published: April 23, 2014

Cloud ComputingCybersecurity

The program office at the General Services Administration (GSA) in charge of overseeing the government-wide baseline for cloud security is set to tackle its first update of requirements. As the Federal Risk and Authorization Management Program (FedRAMP) releases revised security controls, vendors will be tasked with ensuring their cloud offerings comply with the changing standards.

Along with the Federal Information Security Management Act and agency guidance, the initial FedRAMP baseline leveraged the third revision of a special publication from the National Institute of Standards and Technology (NIST), Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53). Even as the FedRAMP office established guidance around this document, a fourth revision to the document was underway. The update to SP 800-53 was finalized at the end of April 2013, and it marked the most comprehensive update to the security control catalog since the 2005. Changes in this revision incorporate “Build It Right” strategy and continuous monitoring, and additions to the control and control enhancements include mobile and cloud computing. (The update expands the catalog of security controls from 600 to more than 850.) Following the publication of the fourth revision of SP800-53, the FedRAMP program office solicited public comment on the update. It’s expected that the changes to the FedRAMP baseline controls will reflect this feedback.

With FedRAMP’s rolling application process and approvals that incorporate continuous monitoring, hard and fast changes to baseline controls would have raised challenges for agencies and vendors alike. Federal agencies continue to fine tune their cloud security requirements, especially around data sensitivity and privacy concerns. Meanwhile, cloud security providers find themselves at different stages of the FedRAMP process. Considering the ‘crawl, walk, run’ approach the program adopted from inception, it’s fitting that GSA’s transition plan appears to take a phased approach to implementing adjustments as standards evolve.

The FedRAMP program office is offering guidance to cloud service providers (CSPs) through a plan released on Tuesday, April 22, 2014. Under its transition strategy, CSPs fall into three categories: Initiation, In Process, and Continuous Monitoring. All CSPs will be subject to compliance with the new baseline eventually.  While vendors that fall into the Initiation category will need to adopt the new controls immediately after their release, providers in the other two categories will have some time to achieve compliance and submit updated documentation.

Initiation: Vendors in the initiation category include any providers that are not yet in contract discussions with a federal agency, that are in early stages of applying to FedRAMP or in readiness review process. This also extends to vendors expecting to start review for provisional authorization by the Joint Authorization Board after the release of the new baseline and templates. Providers in this group will be expected to implement the new baseline and use updated FedRAMP templates, as well as testing all new controls before receiving authorization.

In Process: This category pertains to CSPs that have made some headway in the approval process. Providers will qualify if they have commenced review for authority to operate by the Joint Authorization Board (JAB) by June 1, 2014. Cloud providers with agency level progress may also qualify. As with review by the JAB, cloud vendors under agency review for ATO by June 1st qualify. Also, providers that have a contract or are in contract negotiation with agencies before June 1, 2014 will be considered “in process.” These vendors will be able to complete the authority to operate review using the current baseline (using SP800-53 revision 3 FedRAMP controls and templates). They will have one year from their authorization date to comply with the new baseline.

Continuous Monitoring: These are the vendors that have already completed the FedRAMP process. CSPs with current authorizations and an annual assessment completed before June 1, 2014 will have one year from the last date of their assessment to comply with the new baseline.

At the beginning of 2013, some 70 providers were reported to be in the FedRAMP application queue. As of April 2014, fewer than 20 providers have achieved compliance. That leaves around 50 vendors in either the Initiation or In Process category. The ones that fall into the Initiation group could face significant additional business expenses as they rush to comply with the new controls and avoid further delays to achieving authorization status. According to a notice from the program office, “the level of effort will require testing between 140 to 150 controls.” This includes around 72 new controls in revision four and 70 core controls for annual testing. The revised FedRAMP baseline is expected to be released on or about June 1, 2014.