A deadline for federal agencies to adhere to the government’s baseline cloud security standards and changes to the standards themselves are both fast approaching.
June 5 is the scheduled deadline for agencies to have their existing cloud computing solutions assessed against the Federal Risk and Authorization Management Program, or FedRAMP, and those that fail to do so risk falling in the crosshairs of oversight bodies like inspectors general or the Government Accountability Office.
Around the same time, the General Services Administration is expected to update FedRAMP’s baseline security controls. Since it rolled out two years ago, FedRAMP controls have been based on the third revision of the National Institute of Standards and Technology’s Special Publication 800-53.
But GSA began FedRAMP’s revision process after NIST released a fourth revision to SP 800-53 – also called SP 800-53 Rev 4 – one year ago. GSA first solicited public comments, and then incorporated that feedback into a revised baseline that was reviewed by the FedRAMP Joint Authorization Board, or JAB – comprised of chief information officers from GSA and the departments of Homeland Security and Defense.
GSA’s move forward with the transition to revised FedRAMP standards now hinges upon NIST’s completion of test cases, and summer looks like a realistic completion date, FedRAMP Director Maria Roat said at an April 8 conference.
While both technically constitute unrelated changes, the FedRAMP deadline and its pending revision will echo across government.
The deadline has already sped up action in the FedRAMP pipeline as cloud service providers and agencies alike look to avoid the unfavorable notion of showing up negative IG or GAO reports.
Additionally, 800-53 Rev 4 is far from a trivial update from NIST as it aims to keep up with evolving technology; it increases the total number of security controls from 600 to more than 850.
In a June 2013 publication, GSA cataloged the impact of Revision 4 on the FedRAMP baseline, highlighting 40 new controls and significant changes to approximately 160 others.
GSA officials plan to release a transition strategy guide in the coming days that will provide guidance to agencies and cloud service providers. Cloud solutions that have already achieved FedRAMP compliance will avoid having to completely redo FedRAMP assessments and will be given a timeframe and parameters by which to implement and test new controls.
Cloud service providers that have not yet achieved approval for a solution from the FedRAMP JAB or earned an agency authority to operate will be given a deadline to meet the new standards as well.
In any case, meeting the standards will require new investments from cloud service providers to ensure their solutions still compete in the government’s growing cloud market. For cloud service providers, that will be the cost of doing business.
“The way we view it, quite frankly, is that the cloud is a living organism – it’s not static,” said John Keese, CEO of Autonomic Resources, the first cloud service provider to earn FedRAMP compliance for a solution.
“As technology and security issues change, you’re going to have to continuously modify your security approaches to be secure,” Keese added. “These are good things.”