Government Prepares Cloud Security Standards for Sensitive, Unclassified Data

Published: January 20, 2016

USDAUSAFCloud ComputingCybersecurityDigital GovernmentGSAInnovation

The federal government is close to finalizing the security requirements for cloud systems handling secure, unclassified data. The General Services Administration (GSA) Federal Risk and Authorization Management Program (FedRAMP) office closed the comment period on the drafts security baseline on January 8, 2016.

The FedRAMP program spent much of 2015 advancing a draft of the requirements for the higher security baseline, including engaging a Tiger Team of federal IT managers to assess proposal and review comments. They final draft was released for public comment on December 18, 2015. Once the FedRAMP high baseline is finalized, cloud service providers will be able to be assess for handling data like patient health records and law enforcement data. With the first draft release early in 2015, FedRAMP Director Matt Goodrich indicated that, "the high impact systems are about 50/50 between civilian agencies and DoD and VA.” The high baseline will continue to support alignment with the Continuous Diagnostics and Mitigation (CDM) program managed by the Department of Homeland Security, which provides agencies with network monitoring capabilities to help agencies stay appraised of risks to their systems.

A recent article on the federal cloud security program included commentary from agency leadership at the Agriculture Department (USDA) and Air Force. The USDA has taken on the role as a cloud provider and is positioned to broker cloud services for its agencies as well. Noting the discrepancy between public and private funding levels for research and development, however, there is some apprehension about keeping pace with industry.  In contrast to the USDA’s approach, the Air Force is trying prefers to buy the capability from the private-sector, counting on them to maintain the cutting edge and enabling the military service to dedicate internal resources to other issues.

Several vendors are currently testing the new set of requirements in a pilot that’s expected to wrap up in February or March 2016, before the elevated baseline is finalized. Version 1.0 of the FedRAMP high baseline is expected to be released in the coming weeks, and the requirements for third party assessment organizations are anticipated by the end of February 2016. While the new baseline will offer a higher authorization than the existing moderate level, it does not extend to classified data or national security information. Other areas for potential future development within the FedRAMP program also include addressing the lack of transparency in to the review of cloud service providers, the need for better understanding of how federal agencies are using cloud services, and how continuous monitoring will fit into service delivery.