FedRAMP to Release Draft Standards for High-Impact Systems

Draft standards, due out next week, will provide a baseline for securing the federal government’s high-impact systems in the cloud.

The move is a huge step forward for agencies — which until now had been focused on securing low- and moderate-impact cloud computing systems — in terms of how disrupted systems may affect organizational operations and assets.

Growing demand from agencies seeking to reap the benefits of cloud computing has shifted the focus to high-impact systems, or those systems that are necessary to support agencies’ continuity of operations. Also included in that category, according to a November 2013 Office of Management and Budget (OMB) memo, are all cyber critical infrastructure and key resources identified in agencies’ Homeland Security Policy Directive 7 plans. “Information systems used by agencies to provide services to other agencies such as under E-Government initiatives and lines of business, could also be high impact, but are at least moderate impact,” the OMB noted in the memo.

The Federal Risk Authorization Management Program (FedRAMP) office will release the draft standards for public comment on Jan. 27 and host a webinar the following day to review the high baseline standards. There will be a second public comment period before the standards are finalized by the end of the year. (View the draft standards here).

“What we want to do is really have a thoughtful dialogue around those security controls that we think are needed at the high baseline,” FedRAMP Director Matt Goodrich said Thursday at an FCW cloud-computing event in Washington, D.C.

The FedRAMP team worked with several agencies to develop the draft requirements: Defense, Justice, Homeland Security, Veterans Affairs and Health and Human Services. Combined, these agencies represent 75 percent of the market for high-impact systems. The National Institute of Standards and Technology (NIST) also weighed in, since the draft standards are based on NIST Special Publication 800-53, Revision 4.

For the first time, industry will have clarification on how to implement security requirements and justification for why standards were selected, Goodrich said of the new draft standards. This level of detail fosters conversations. People may say a certain standard isn’t necessary and explain why, or they may provide cost-effective alternatives for achieving the same security outcomes, Goodrich added.

FedRAMP Acquisition Guidance Coming Soon

In February, the FedRAMP office will release draft guidance on how agencies should effectively include FedRAMP standards in their contracts. The guidance will be open to comment from government and industry for about a month.

The FedRAMP office is working with several entities — the Office of Management and Budget, the CIO and CAO councils, the Office of Federal Procurement Policy and the Office of E-Government and Information Technology — to develop guidance that defines how FedRAMP should be included in contracts, Goodrich said. Although agencies must mandate FedRAMP compliance in their contracts, “there is no guidance exactly on how to do that,” he added. Agencies need evaluation criteria for ensuring that proposals meet cloud security standards.

To learn more about how cloud computing solutions can help your organization get ahead, visit cdw.com/cloud.