recommended reading

Is Your Agency Ready for the Cloud Security Deadline in June?


A deadline for federal agencies to adhere to the government’s baseline cloud security standards and changes to the standards themselves are both fast approaching.

June 5 is the scheduled deadline for agencies to have their existing cloud computing solutions assessed against the Federal Risk and Authorization Management Program, or FedRAMP, and those that fail to do so risk falling in the crosshairs of oversight bodies like inspectors general or the Government Accountability Office.

Around the same time, the General Services Administration is expected to update FedRAMP’s baseline security controls. Since it rolled out two years ago, FedRAMP controls have been based on the third revision of the National Institute of Standards and Technology’s Special Publication 800-53.

But GSA began FedRAMP’s revision process after NIST released a fourth revision to SP 800-53 – also called SP 800-53 Rev 4 – one year ago. GSA first solicited public comments, and then incorporated that feedback into a revised baseline that was reviewed by the FedRAMP Joint Authorization Board, or JAB  – comprised of chief information officers from GSA and the departments of Homeland Security and Defense.

GSA’s move forward with the transition to revised FedRAMP standards now hinges upon NIST’s completion of test cases, and summer looks like a realistic completion date, FedRAMP Director Maria Roat said at an April 8 conference.

While both technically constitute unrelated changes, the FedRAMP deadline and its pending revision will echo across government.

The deadline has already sped up action in the FedRAMP pipeline as cloud service providers and agencies alike look to avoid the unfavorable notion of showing up negative IG or GAO reports.

Additionally, 800-53 Rev 4 is far from a trivial update from NIST as it aims to keep up with evolving technology; it increases the total number of security controls from 600 to more than 850.

In a June 2013 publication, GSA cataloged the impact of Revision 4 on the FedRAMP baseline, highlighting 40 new controls and significant changes to approximately 160 others.

GSA officials plan to release a transition strategy guide in the coming days that will provide guidance to agencies and cloud service providers. Cloud solutions that have already achieved FedRAMP compliance will avoid having to completely redo FedRAMP assessments and will be given a timeframe and parameters by which to implement and test new controls.

Cloud service providers that have not yet achieved approval for a solution from the FedRAMP JAB or earned an agency authority to operate will be given a deadline to meet the new standards as well.

In any case, meeting the standards will require new investments from cloud service providers to ensure their solutions still compete in the government’s growing cloud market. For cloud service providers, that will be the cost of doing business.

“The way we view it, quite frankly, is that the cloud is a living organism – it’s not static,” said John Keese, CEO of Autonomic Resources, the first cloud service provider to earn FedRAMP compliance for a solution.

“As technology and security issues change, you’re going to have to continuously modify your security approaches to be secure,” Keese added. “These are good things.”

(Image via wavebreakmedia/

Threatwatch Alert

User accounts compromised

1 Million Online Gaming Accounts Exposed

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.