FedRAMP rolls out high security baseline

Cloud service providers have a new high-level security model they can offer to federal agencies.

The General Services Administration, which operates the Federal Risk and Authorization Management Program for cloud vendor, rolled out its long-awaited high security baseline on June 22.

Before this development, federal agencies could migrate only low- and moderate-impact workloads to CSPs. The release of the high baseline will allow federal agencies to more widely use cloud services for their most critical data immediately, said FedRAMP Director Matt Goodrich.

"We already have three vendors ready," he said. "Agencies are already using the service."

Those three vendors who piloted the new high baseline are among the largest cloud service providers: Microsoft Azure, CSRA and Amazon Web Services.  Each now has Provisional Authority to Operate from the FedRAMP Joint Authorization Board.

The high baseline will allow CSPs to handle and store data (such as personally identifiable information or health records) that if compromised could severely hurt organizational operations, assets or people in the federal agency that hired the provider. Under the baseline, CSPs must secure data centers to levels mandated for unclassified data in cloud environments under the Federal Information Processing Standard, or FIPS.

GSA has been polishing the latest draft for months, and in January Goodrich said the JAB review would be completed by February or March.

The release date kept slipping, however . FCW has learned that some of the delay is attributable to a lengthy Department of Homeland Security review. Multiple sources confirmed to FCW that the document had been under DHS review for the last month as final touches were made to one control feature in particular.

Approval from DHS is needed because it is one of the three agencies (along with GSA and the Defense Department) whose CIOs make up the JAB. DHS, which has other, broader responsibilities for federal network protection, has shown itself to be a stickler for detail. 

The next $40 billion

The high baseline could open up cloud procurement across the entire federal government.

"With low and moderate [security standards], we addressed about half, or $40 billion" of the $80 billion federal IT market, Goodrich said.  Those baselines couldn't address the security needs of the other $40 billion of federal agency IT spend, however.  With the new high baseline, he said, there is "now almost a totality of spend.

More than a year in the making, "FedRAMP high" has been subject to extensive public comment from stakeholders. FedRAMP's Program Management Office issued a second draft of the high baseline earlier this year that looked at controls, after getting input from the commercial and federal interests.

The lengthy timeline for developing the baseline, Goodrich told FCW, was to ensure it would be effective for the critical services it is aimed at protecting.

"With the moderate baseline, you can have shared services outside the boundary" and other less stringent requirements, Goodrich said. "With the high baseline, you can't be outside the boundary."

GSA worked with CSPs, third party assessment organizations and the other two JAB agencies to refine the security baseline, according to Goodrich. That collaboration, he said, will help efforts to speed cloud approvals through the FedRAMP accelerated program.