recommended reading

Is Your Agency Ready for the Cloud Security Deadline in June?


A deadline for federal agencies to adhere to the government’s baseline cloud security standards and changes to the standards themselves are both fast approaching.

June 5 is the scheduled deadline for agencies to have their existing cloud computing solutions assessed against the Federal Risk and Authorization Management Program, or FedRAMP, and those that fail to do so risk falling in the crosshairs of oversight bodies like inspectors general or the Government Accountability Office.

Around the same time, the General Services Administration is expected to update FedRAMP’s baseline security controls. Since it rolled out two years ago, FedRAMP controls have been based on the third revision of the National Institute of Standards and Technology’s Special Publication 800-53.

But GSA began FedRAMP’s revision process after NIST released a fourth revision to SP 800-53 – also called SP 800-53 Rev 4 – one year ago. GSA first solicited public comments, and then incorporated that feedback into a revised baseline that was reviewed by the FedRAMP Joint Authorization Board, or JAB  – comprised of chief information officers from GSA and the departments of Homeland Security and Defense.

GSA’s move forward with the transition to revised FedRAMP standards now hinges upon NIST’s completion of test cases, and summer looks like a realistic completion date, FedRAMP Director Maria Roat said at an April 8 conference.

While both technically constitute unrelated changes, the FedRAMP deadline and its pending revision will echo across government.

The deadline has already sped up action in the FedRAMP pipeline as cloud service providers and agencies alike look to avoid the unfavorable notion of showing up negative IG or GAO reports.

Additionally, 800-53 Rev 4 is far from a trivial update from NIST as it aims to keep up with evolving technology; it increases the total number of security controls from 600 to more than 850.

In a June 2013 publication, GSA cataloged the impact of Revision 4 on the FedRAMP baseline, highlighting 40 new controls and significant changes to approximately 160 others.

GSA officials plan to release a transition strategy guide in the coming days that will provide guidance to agencies and cloud service providers. Cloud solutions that have already achieved FedRAMP compliance will avoid having to completely redo FedRAMP assessments and will be given a timeframe and parameters by which to implement and test new controls.

Cloud service providers that have not yet achieved approval for a solution from the FedRAMP JAB or earned an agency authority to operate will be given a deadline to meet the new standards as well.

In any case, meeting the standards will require new investments from cloud service providers to ensure their solutions still compete in the government’s growing cloud market. For cloud service providers, that will be the cost of doing business.

“The way we view it, quite frankly, is that the cloud is a living organism – it’s not static,” said John Keese, CEO of Autonomic Resources, the first cloud service provider to earn FedRAMP compliance for a solution.

“As technology and security issues change, you’re going to have to continuously modify your security approaches to be secure,” Keese added. “These are good things.”

(Image via wavebreakmedia/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.