The Federal Risk and Authorization Management Program (FedRAMP) released a highly anticipated draft of a new cloud security certification level Tuesday, Jan. 27. When finalized, the new high impact baseline will be the strongest authorization level, answering the call from agencies looking to put more sensitive data in the cloud.
The draft high baseline documents released Tuesday lay out a process for authorizing cloud service providers to host data that, if leaked or otherwise compromised, would have a significant impact, including personal harm, loss of life or financial ruin.
Download: FedRAMP High Baseline Draft
Most of the information to be covered under the high baseline will be law enforcement data and patient health records, according to FedRAMP Director Matt Goodrich, though it will not cover classified information or data relevant to national security.
Related: New DoD cloud security requirements
"The high impact systems are about 50/50 between civilian agencies and DoD and VA, making the high baseline incredibly important," Goodrich said Tuesday. "There has been significant teaming and communications among the key federal players with high impact systems in order to align needs, ensure there is demand and realize the benefits of cloud and FedRAMP."
Goodrich noted one of the key drivers in the need for a high rating was the Continuous Diagnostics and Mitigation (CDM) program managed by DHS, which creates a set of cybersecurity systems to give agencies a real-time view of their networks and help manage risk.
"CDM had a distinct need for a high baseline and the release of this baseline helps CDM and FedRAMP continue to align," he said.
The draft will be open for comment for 45 days before a second draft is issued.
Goodrich said he doesn't expect anything in the document to be controversial, as the metrics were taken from the National Institute for Science and Technology (NIST) 800-53 catalog of controls.
"FedRAMP is looking for a thoughtful dialog with industry and agencies to ensure that any high baseline is feasible for vendors to implement, identify any proposed alternatives that could achieve the same intended level of security and drive reuse in the same way the moderate and low baselines have to-date," he said.
There will be another 45-day comment period when the second draft is released. The final version is expected before the end of 2015.
While the high baseline will be the strongest FedRAMP level to-date, Goodrich said the PMO plans to continually review security needs and update and create new baselines as needed.
The FedRAMP PMO will be hosting a webinar on the new security level Wednesday afternoon.