recommended reading

GSA Has a New Plan for Cloud Providers Navigating Changing Security Standards

Maksim Kabakou/Shutterstock.com

The General Services Administration released a transition plan on Tuesday that provides guidance to cloud computing service providers that will have to adhere to new baseline security standards slated for release in June.

The transition plan will govern how CSPs adhere to upcoming changes to the Federal Risk and Authorization Management Program, or FedRAMP, based on the fourth revision of the National Institute of Standards and Technology’s Special Publication 800-53.

The plan provides specific guidance to CSPs at varying stages.

CSPs in the early “initiation” phase will have to implement new baseline standards and test SP 800-53 Rev. 4 controls before receiving authorization. Those in the FedRAMP pipeline before June 1 will be assessed against current FedRAMP baseline standards – based on NIST’s SP 800-53 Rev. 3 – but will have one year from the authorization date to implement the new baseline, submit new documents using updated templates and test their controls against new Rev. 4 controls.

Similarly, CSPs with FedRAMP-accredited solutions with an annual continuous monitoring assessment completed prior to June 1 will have “one year from the date of their last assessment” to implement the new baseline and complete testing. CSPs with an annual assessment scheduled between June 1, 2014 and Jan. 1, 2015, must implement the new baseline and complete testing in 2015.

“This is a matter of communicating with providers, being transparent and letting people know what we’re doing,” FedRAMP Director Maria Roat said.

GSA’s FedRAMP team has been touting the coming updates for some time as it partnered with technical teams at the Homeland Security and Defense departments and the Defense Information Systems Agency. Roat said GSA is in the process of wrapping up test cases for the new controls right now, after which the FedRAMP Program Management Office will publish the new FedRAMP security control baseline and accompanying templates.

According to the transition document, the new FedRAMP security baseline will be a substantial upgrade from its prior implementation, signifying a more rigid approach to the government’s cloud security and risk posture.

“The FedRAMP Program Management Office anticipates that the level of effort will require testing between 140 to 150 controls,” the document stated. “There are approximately 72 new Rev. 4 controls and 70 core controls for annual testing.  The FedRAMP PMO will prioritize and adjust the number of controls required for testing based on the CSPs risk posture.”

(Image via Maksim Kabakou/Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.