FedRAMP Security Controls UnveiledFederal Risk and Authorization Mgt. Program Vets Providers
The security controls for the Federal Risk and Authorization Management Program, or FedRAMP, align with the National Institute of Standards and Technology Special Publication 800-53 Revision 3 for low and moderate impact systems. Cloud computing providers must implement these security controls in order for them to receive authorization to provide cloud services to federal agencies.
In the past year, the FedRAMP Joint Authorization Board received more than 1,000 comments from government and business stakeholders, of which 350 addressed the security controls and enhancements proposed by the board.
Writing in a blog posted on the Federal Chief Information Officers Council website, Department of Homeland Security CIO Richard Spires said the security controls approved by the board create a baseline of controls to properly address the unique elements of authorizing cloud products and services, including multi-tenancy, control of an infrastructure and shared resource pooling. "This baseline serves all federal agencies and [cloud service providers], to which additional controls may be added by agencies to meet specific requirements," Spires said.
Implementation of the FedRAMP security controls will be detailed in the several documents to be released before the initial operating capability of the program later this year. Those documents will align with the NIST SP 800-37 Risk Management Framework and include:
- System Security Plan that clarifies how the requirements of each security control will be met within a cloud computing environment. Within the plan, each control must detail (1) solutions being deployed such as devices, documents and processes; (2) responsibilities of providers and government customer to implement the plan; (3) timing of implementation; and (4) how solution satisfies controls.
Security Assessment Plan details how each control implementation will be assessed and tested to ensure it meets the requirements.
Security Assessment Report explains the issues, findings, and recommendations from the security control assessments detailed in the security assessment plan.
The government won't allow federal agencies from using a cloud service provider unless the vendor can prove that a FedRAMP-accredited third-party organization has verified and validated the security controls. The board said the process for cloud service providers to use third-party accrediting organizations should be released next month.
"FedRAMP's unified risk management process will evaluate IT services offered by vendors on behalf of federal agencies, saving agencies from conducting their own risk management programs," Spires said. "By reducing duplicative risk management efforts, FedRAMP will enable federal agencies to focus their evaluations of IT services on their agency's specific needs, as well as their privacy and security requirements."