Officials at the Federal Risk and Authorization Management Program have released draft security standards aimed at protecting some of the government’s most sensitive unclassified data in cloud computing environments.
FedRAMP officials are now seeking feedback from industry and agencies on the proposed standards.
The so-called high-impact baseline under the Federal Information Security Management Act has been discussed since FedRAMP – the government’s program to standardize cloud security requirements – was created nearly three years ago.
But it’s become a major priority because of recent demand from both the Defense Department and civilian agencies, according to FedRAMP officials.
FedRAMP Director Matt Goodrich, speaking at a recent cloud computing event, said a handful of agencies – the departments of Defense, Health and Human Services, Justice, Homeland Security and Veterans Affairs – make up “75 percent of the federal landscape for high-system use.”
Law enforcement information and patient health care data, for example, are two type of datasets destined for cloud platforms that eventually meet the high baseline.
The public can comment on the draft standards for 45 days, at which time a second draft and another public comment will commence. Goodrich said he expects a final version of the high baseline to be released by the end of 2015.
While this will be FedRAMP’s most rigorous package of cloud security standards yet, Goodrich emphasized that FedRAMP’s standards will “continue to evolve.”
"This is our first draft," Goodrich said during a webinar on the new standards. It took FedRAMP officials about 18 months to finalize standards for low- and moderate-impact systems. "We're hoping to finish this within the calendar year and I think we’re on track to do that."
Officials were able to develop high-baseline draft standards more quickly because the program office wasn't starting from scratch -- they've progressed naturally building on the low- and -moderate baselines. In addition, the office has already forged partnerships across government and identified stakeholders for the high baseline.
The latest release is the culmination of a particularly busy six-month period for FedRAMP’s team.
In June, the office issued new FedRAMP controls, reflecting changes to the National Institute of Standards and Technology Special Publication 800-53 – the same standards the high baseline is mapped around.
Then, in December, the program office launched its “FedRAMP Forward” road map outlining how it will develop over the next two years.
That’s all in addition to processing a growing number of FedRAMP packages from cloud service providers across government.