GSA's Matthew Goodrich says the FedRAMP's joint authorization board is considering more security controls, but is weighing the benefits. (Colin Kelly / Federal Times)
The General Services Administration is updating governmentwide standards for securing cloud solutions and expects to release those changes within the next three months.
The 298 security controls under FedRAMP are based on National Institute of Standards and Technology guidelines, which govern how agencies should secure their information technology systems. NIST updated those guidelines last year.
GSA will release plans in the coming weeks for cloud providers under FedRAMP to transition to the new standards, said Matt Goodrich, program manager for FedRAMP.
For now, FedRAMP reviews and authorizes cloud computing systems at the low- and moderate-impact levels, in terms of potential impact on organizational operations and assets if they are disrupted. ďAt this point, FedRAMP will not focus on FISMA high impact levels,Ē according to the programís website.
But FedRAMPís joint authorization board, which approves security reviews, is at least considering that option, said Goodrich, who spoke at an April 2 Intel Security summit.
One thing to consider is how many agencies would benefit from adding additional security controls to FedRAMP. Goodrich said only 20 percent of the governmentís systems are classified at high-impact levels. Of that, about 80 percent of those systems belong to the Defense and Homeland Security departments.
DHS is considering adding controls to FedRAMPís baseline requirements, said Scott Tousley, deputy director of the Cyber Security Division in DHSí Science & Technology Directorate. While FedRAMPís baseline is sufficient for agencies like the Federal Emergency Management Agency, which manage public data, the Secret Serviceís internal data would require more stringent standards.
If most agencies were to add security requirements to the baseline, that may prompt FedRAMP to consider updating the minimum standards, said Scott Renda, portfolio manager for cloud computing at the Office of Management and Budget.
DoD is implementing the only departmentwide effort to add controls above the FedRAMP baseline, Goodrich said. Other agencies arenít requiring extra security controls for cloud solutions that have been approved through FedRAMPís joint board.
ďAgencies are seeing that baseline to be better than what they did already,Ē he said.