Federal officials at work on the Federal Risk and Authorization Management Program have agreed on a set of minimal common security controls for cloud computing, said a senior General Services Administration official March 29.

Officials from the departments of Defense and Homeland Security, and GSA, have identified 114 Federal Information Security Management Act security controls, plus an additional four to five continuous monitoring controls that will form the FedRAMP baseline, said Sanjeev "Sonny" Bhagowalia, GSA deputy associate administrator in the office of citizen services and innovative technologies. He spoke before an industry audience in Arlington, Va. assembled for an Industry Advisory Council network and telecommunications special interest group meeting.

The intent behind FedRAMP is to allow agencies to make use of commonly accepted risk assessments and cybersecurity evaluations of low to moderate impact cloud services, allowing federal agencies to implement a cloud solution without having to individually certify and accredit the solution for themselves. ("Certification and accreditation," a prerequisite from FISMA for a system to operate within an agency network is also being called "assessment and authorization" under some circumstances these days.)

"We have come up with a way, we think, of a unified set of controls and a new policy and a model of how we're going to make this work," Bhagowalia said.

FedRAMP does not require agencies to accept the common baseline or a certification and accreditation performed by another agency, meaning that agencies will have to trust each other if the anticipated cost-savings of FedRAMP are to occur, he added.

On a related note, Bhagowalia said agencies have submitted lists of the data centers they intend to close under an Office of Management and Budget drive to close 800 of them by 2015.

"We have a list, but it's sensitive" and not yet final because agencies are making revisions to the list, he said. GSA's goal is to reduce its number of data centers from 15 down to three within five years, he added. "We know which ones we're looking at."

For more:
- listen to an audio recording of Bhagowalia's talk

Related Articles:
What ever happened to FedRAMP? 
Cloud computing standards already exist, but NIST must make sense of them 
FedRAMP draft specifications out for comment