FedRAMP releases draft for higher security cloud computing authorization, seeks public input


The federal government Jan. 27 released a long-awaited draft document that establishes a high baseline of security controls for cloud computing service providers, allowing them to host some of the federal government's most sensitive information.

The draft was released by the Joint Authorization Board of the Federal Risk and Authorization Management Program, or FedRAMP, the government-wide program that is standardizing cloud security assessment and authorization. The JAB is made up of the chief information officers of the Homeland Security and Defense departments and the General Services Administration.

"The intent of the baseline is to identify the federal standard that needs to be met at a minimum across...all uses of cloud computing services on federal data," said FedRAMP Director Matt Goodrich, during a Jan. 28 webinar about the new draft document.

Up until now, only low to moderate baselines for security controls have been available. That's because the JAB recognized that high-impact systems have some additional challenges, effort and learning that needed to go into it, said Matt Smith, chief security engineer for DHS and JAB's technical representative for FedRAMP, during the webinar.

"We have been steadily seeing demand for that opportunity to grow and we are at the point where we have enough background, history, understanding and expertise with the cloud computing services and vendor community, the maturity of the federal use of those services and the perspective that's going to be necessary to use cloud computing services" for that high security baseline, he said.

That baseline will be particularly important for the Defense, Homeland Security, Justice, Veterans Affairs and the Health and Human Services departments, which hold a majority of sensitive data across the government.

Federal officials are seeking public comment on the high-level draft baseline over the next 45 days, until March 13. They expect to send out a second draft for public comment sometime this summer and then finalize the draft before the calendar year.

Goodrich added that officials want a "thoughtful dialogue" with industry about the draft document. He said if there's a security control that providers or agencies think is too complicated to implement then they should provide comments on alternative controls that would meet the same intent.

For more:
- download the high baseline draft document from FedRAMP

Related Articles:
Gov execs: 'Exit strategy' critical in federal cloud computing contracts
DISA releases security guidance in implementing, hosting cloud services for DoD agencies
FedRAMP milestone update: CSPs compliant with new NIST controls and 'high' security baseline coming