recommended reading

Is Your Agency Ready for the Cloud Security Deadline in June?


A deadline for federal agencies to adhere to the government’s baseline cloud security standards and changes to the standards themselves are both fast approaching.

June 5 is the scheduled deadline for agencies to have their existing cloud computing solutions assessed against the Federal Risk and Authorization Management Program, or FedRAMP, and those that fail to do so risk falling in the crosshairs of oversight bodies like inspectors general or the Government Accountability Office.

Around the same time, the General Services Administration is expected to update FedRAMP’s baseline security controls. Since it rolled out two years ago, FedRAMP controls have been based on the third revision of the National Institute of Standards and Technology’s Special Publication 800-53.

But GSA began FedRAMP’s revision process after NIST released a fourth revision to SP 800-53 – also called SP 800-53 Rev 4 – one year ago. GSA first solicited public comments, and then incorporated that feedback into a revised baseline that was reviewed by the FedRAMP Joint Authorization Board, or JAB  – comprised of chief information officers from GSA and the departments of Homeland Security and Defense.

GSA’s move forward with the transition to revised FedRAMP standards now hinges upon NIST’s completion of test cases, and summer looks like a realistic completion date, FedRAMP Director Maria Roat said at an April 8 conference.

While both technically constitute unrelated changes, the FedRAMP deadline and its pending revision will echo across government.

The deadline has already sped up action in the FedRAMP pipeline as cloud service providers and agencies alike look to avoid the unfavorable notion of showing up negative IG or GAO reports.

Additionally, 800-53 Rev 4 is far from a trivial update from NIST as it aims to keep up with evolving technology; it increases the total number of security controls from 600 to more than 850.

In a June 2013 publication, GSA cataloged the impact of Revision 4 on the FedRAMP baseline, highlighting 40 new controls and significant changes to approximately 160 others.

GSA officials plan to release a transition strategy guide in the coming days that will provide guidance to agencies and cloud service providers. Cloud solutions that have already achieved FedRAMP compliance will avoid having to completely redo FedRAMP assessments and will be given a timeframe and parameters by which to implement and test new controls.

Cloud service providers that have not yet achieved approval for a solution from the FedRAMP JAB or earned an agency authority to operate will be given a deadline to meet the new standards as well.

In any case, meeting the standards will require new investments from cloud service providers to ensure their solutions still compete in the government’s growing cloud market. For cloud service providers, that will be the cost of doing business.

“The way we view it, quite frankly, is that the cloud is a living organism – it’s not static,” said John Keese, CEO of Autonomic Resources, the first cloud service provider to earn FedRAMP compliance for a solution.

“As technology and security issues change, you’re going to have to continuously modify your security approaches to be secure,” Keese added. “These are good things.”

(Image via wavebreakmedia/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.