Goodrich: 'FedRAMP high' baseline coming soon

Federal Risk and Authorization Management Program Director Matthew Goodrich said Jan. 22 that a draft baseline for cloud computing systems that require FISMA high-impact level security is nearly ready for public comment.

Addressing an audience of about 200 FedRAMP-focused government and industry personnel at an FCW-sponsored event in Washington, D.C., Goodrich said the "FedRAMP high" draft would be published Jan. 27.

Currently, FedRAMP authorizes systems only at the low- and moderate-impact levels set by the Federal Information Security Management Act. But adding high-impact cloud systems is part of the FedRAMP roadmap, and Goodrich said his office is also open to establishing other baselines if there is sufficient agency demand. 

For example, the National Institute of Standards and Technology's 800-series standards for FISMA compliance allow the impact levels for a system's availability, confidentiality and integrity to be set separately, but Goodrich said that FedRAMP is currently locked in a "Low-low-low, medium-medium-medium, high-high-high." 

If there was the need for a baseline that hit high-impact standards only for, say, confidentiality, Goodrich said, "we're not closed off to the idea."