The new FedRAMP high impact baseline for cloud services was released Tuesday and officials are asking industry and federal stakeholders to examine the controls and justifications and provide constructive feedback.
The controls listed in the draft document include 325 established under the FedRAMP moderate baseline; 64 of 343 NIST High controls that aren't duplicates of the FedRAMP standards; and 18 new controls that are expected to be the focus of the first comment period.
Download: FedRAMP high baseline draft document
"This is meant to be more than a starting point — it's a ubiquitous point," said Matt Smith, chief security engineer at DHS, explaining that the baseline controls are intended to address all potential systems and uses. "None of this is to prescribe a particular architecture … These are simply stating the specific control-by-control government standards."
With past iterations, FedRAMP officials have simply issued drafts and asked for stakeholders to provide their opinions. This time around, the draft document includes specific justifications as to why each control was selected.
"We took a lot of time to make sure we could have a thoughtful conversation about the controls," said FedRAMP Director Matt Goodrich.
Among other data points like the control name, ID and a brief description, the spreadsheet includes an explanation for why each metric was included under column K.
Interested parties are encouraged to review them all and add comments under column N. The completed spreadsheets should be sent to firstname.lastname@example.org by March 13.
Comments will not be considered if the structure of the spreadsheet is altered, officials warned.
A second draft based on the first round of comments is planned for mid-summer, allowing interested parties one more opportunity to comment on the direction of the final baseline.
The FedRAMP PMO plans to have the final version completed by the end of calendar 2015 and is on track to do so, Goodrich said.