Contractors must adopt new standards for securing federal cloud solutions. (NSF.gov)
The General Services Administration on Tuesday released deadlines for cloud providers to adopt revised security standards, as a prerequisite for doing business with the federal government.
The change will affect all current and future cloud service providers as they undergo the governments security review process known as FedRAMP. Agencies have been directed to issue contract language requiring companies to comply with the standards.
The deadline for cloud providers to adopt the new standards and documentation depends on what stage of the review process companies have completed. For example, cloud providers that are applying to FedRAMP will be expected to adopt the new standards right away.
Companies that begin the FedRAMP process before June 1 will complete their reviews using the current security standards. Those companies will have one year from the date they receive FedRAMP approval to implement the new security standards, submit the necessary documentation and undergo testing.
Bonus: download FREE white paper on hybrid cloud architectures .
Cloud providers that have completed FedRAMP reviews, such as Amazon and Microsoft, will also have to adopt the new standards.
“The FedRAMP [program management office] will prioritize and adjust the number of controls required for testing based on the [cloud service providers] risk posture,” the FedRAMP program management office said in a statement.
The current security controls under FedRAMP are based on National Institute of Standards and Technology guidelines, which govern how agencies should secure their information technology systems. NIST updated those guidelines last year.
The FedRAMP program management office is working with the federal Chief Information Officers Council to provide further updates by June 1 on the new security standards.
There will be about 72 new security requirements that will have to be tested, according to the FedRAMP program office, which is housed at GSA. The FedRAMP team expects between 140 and 150 controls will need to be tested.
Related News: GSA to update federal cloud standards