Free Newsletter
HOT TOPICS >> Cloud computing | Cybersecurity | Gov 2.0 | Fiscal 2013 | Mobile | Transparency | GAO reports
AGENCY NEWS >> Defense | NASA | Homeland Security | NIST | OMB | Veterans Affairs | NARA | GSA
Latest News
Media Partner
Free Newsletter
FierceGovernmentIT tracks the latest technological developments in the U.S. government. Join more than 17,000 federal/state decision makers and IT executives who get FierceGovernmentIT via email. Sign up today!
About | View Sample | Privacy
Whitepapers
- Inside the Federal Cloud: Master the Challenges, Seizing the Opportunities
- The Data Center in Your Future
- Innovative Solutions for Database and DBA Management
- Storage Consolidation: Best of Both Worlds
- The E-discovery Toolbox: What you should look for in a unified e-discovery solution
- Cloud Computing: Threat or opportunity for VARs and MSPs? Special focus on cloud collaboration and messaging
FedRAMP baseline controls released
Federal officials released Jan. 6 security controls that constitute the basis of governmentwide authorization and accreditation of cloud computing systems.
The controls (.zip), part of a program known as FedRAMP, are meant to act as a common federal baseline for low- and moderate- risk cloud services. A Dec. 8, 2011 memo (.pdf) from Federal Chief Information Officer Steven VanRoekel tells agencies to use provisional authorization of public cloud computing services granted via an independent third party using FedRAMP criteria when conducting their own risk assessments.
Provisional authorization granted under the FedRAMP program by a third party doesn't replace agencies' need to conduct their own risk assessments, federal officials said during a Dec. 8 press call, but should satisfy the vast majority of local security controls. The FedRAMP program office has yet to release a concept of operations with more details, but plans to within a month, said Homeland Security Department Chief Information Officer Richard Spires in a Jan. 6 blog post. Spires has been active in governmentwide efforts.
The controls have been taken directly from National Institute of Standards and Technology Special Publication 800-53 Rev. 3
Among them is a requirement that passwords constitute at least a 12 character mix of upper and lower case letters, numbers and special characters--although the controls exclude mobile devices from the password complexity requirement.
Cloud computing providers will also have 30 days under the FedRAMP controls to correct high risk vulnerabilities, while the time period for rectifying moderate risk vulnerabilities is 90 days. Providers must also conduct at least quarterly vulnerability scans of operating systems, web applications and databases, the controls say.
For more:
- download the FedRAMP security controls from gsa.gov (.zip)
- read Spires' Jan. 6 blog post
Related Articles:
Federal officials launch FedRAMP
Audio: Steven VanRoekel announces FedRAMP
NIST: Cloud providers should adopt portability standards
SHARE WITH:
Home
| Subscribe | Advertise | Mobile Edition | RSS |
Privacy
| Site Map
| EditorsTHE FIERCEMARKETS NETWORKFierceEnergy | FierceSmartGrid | FierceFinance | FierceFinanceIT | FierceComplianceIT | FierceHealthcare | FierceHealthFinance | FierceHealthIT | Hospital Impact | FierceMobileHealthcare | FierceHealthPayer | FiercePracticeManagement | FierceEMR | FierceCIO | FierceCIO:TechWatch | FierceContentManagement | FierceMobileIT | FierceGovernmentIT | FierceGovernment | FierceHomelandSecurity | FierceBiotech | FierceBiotech Research | FiercePharma | FierceVaccines | FierceBiotechIT | FiercePharma Manufacturing | FierceMedicalDevices | FierceDrugDelivery | FierceCRO | FierceIPTV | FierceOnlineVideo | FierceTelecom | FierceEnterpriseCommunications | FierceBroadbandWireless | FierceDeveloper | FierceMobileContent | FierceWireless | FierceWireless:Europe | FierceCable© 2012 FierceMarkets. All rights reserved. |
 |
