The General Services Administration is soliciting comment on a proposed set of common security configurations for low to moderate impact cloud offerings in a document posted online Nov. 2.

The intent behind the configurations, known as Federal Risk and Authorization Management Program, is to allow agencies to make use of commonly accepted risk assessment and cybersecurity evaluation of cloud services.

But, the draft set of regulations warns that a FedRAMP authorization wouldn't exempt agencies from the responsibility of signing their own authorization to operate document when utilizing a FedRAMP approved cloud offering. Rather, a FedRAMP authorization would be a baseline for federal agencies "to review and potentially leverage," the document states.

Agency officials would still have to assess for themselves risk factors revealed in the FedRAMP cloud offering documentation, including the time elapsed since GSA granted a particular service a FedRAMP authorization, "as well as the overall risk tolerance of the leveraging organization," the draft guidelines state.

The FedRAMP configurations are based in part on the third revision of National Institute of Standards and Technology special publication 800-53. A FedRAMP authorization would require a continuous monitoring program, with service providers required to perform weekly scans for malicious code and monthly vulnerability scans of all servers, the draft document states.

FedRAMP authorization would come from a Joint Authorization Board, chaired by the federal chief information officer and with permanent representation from the departments of Defense and Homeland Security, and the General Services Administration.

The federal CIO would also be responsible for tasking and funding FedRAMP, even while the General Services Administration would perform the day-to-day operations, the draft document states.

The first phase of FedRAMP should be operational in the first quarter of calendar year 2011, according to a GSA statement.

GSA will accept comments from federal agencies, vendors and the public through 11:59 p.m., Eastern time, on Dec. 2. It also plans to hold two information sessions before then--one for vendors, one for government agencies.

For more:
- go to the FedRAMP website, or directly to the draft document (.pdf)
- see a statement from GSA about the draft document

Related Articles:
Cloud computing standards and procurement processes take shape 
Army migrates email to DISA cloud 
NASA launches private cloud 
Cybersecurity guidance lacking for federal cloud computing