NIST prepping more cloud security control guidance to complement FedRAMP

Forthcoming guidance NIST SP 800-174 will look at security control allocation, reference SP 800-53 controls

The National Institute of Standards and Technology is working on new guidance that will address the distribution and placement of security controls for cloud computing environments, according to an agency official at a May 5 industry event.

During the Cloud Security Alliance's Federal Summit in Washington, D.C., Michaela Iorga, NIST's senior security technical lead for cloud computing indicated the guidance would provide a more in-depth approach to cloud security.

Agencies may compare cloud providers that appear to meet the same security baselines, but, in reality, the providers are implementing security controls in different places in the technology stack, she said.

"From a distance, you might think that [cloud providers] have the same security posture because they implement it at the same impact level and the same baseline," said Iorga. "But in reality, it's not the case, because you might need more information, you might need the same controls applied as part of the baseline on other layers of the stack."

The forthcoming guidance – NIST Special Publication 800-174 – will provide a "cloud overlay" that references each control in the agency's security catalog, NIST SP 800-53 revision 4 (pdf), which is also the foundational reference document for the Federal Risk and Authorization Management Program, or FedRAMP.

And, much like FedRAMP, the new guidance will list the controls needed for capabilities in "low-," "medium-" and "high-impact" cloud systems but the NIST overlay will go beyond those required by FedRAMP.

Iorga said 800-174 will reflect NIST's recommendation for how a cloud capability should be properly and completely secured - above and beyond the FedRAMP baseline for each capability. 

"A baseline is a baseline," she added. "If you stay at minimum you'll get minimum security. But if you want to have a security posture on the system that is commensurable with your needs, then maybe you can look at the other controls that are there if we have more listed."

She added that it will be up to agencies to decide whether they can stick with baseline security controls, or if they should go higher. They will want to optimize what they spend and not "super secure" everything, she said.

Related Articles: 
TIC overlay just the beginning for FedRAMP, says Goodrich 
FedRAMP, DHS aim to merge TIC and cloud security authorization through single process  
FedRAMP releases draft for higher security cloud computing authorization, seeks public input