Version 2 of cloud cybersecurity standards coming soon

Thursday - 4/3/2014, 4:35am EDT

Listen to Jason Miller's interview on the Federal Drive.

Download mp3

As agencies face an impending deadline to implement the current set of cloud security standards, the next version already is under development.

The General Services Administration and the Defense and Homeland Security departments are kicking off Federal Risk Authorization and Management Program (FedRAMP) 2.0 by incorporating new cyber requirements from the National Institute of Standards and Technology Special Publication 800-53, Rev 4. NIST released the latest version of the privacy and computer security controls for federal information systems in April 2013.

"We will have that come out at some point in the next two or three months, probably sooner, but I like to under promise and over deliver," said Matt Goodrich, GSA's program manager for FedRAMP, at the Intel Security Innovation Summit in Washington Wednesday. "You'll see our new baseline come out, and we'll have our transition strategy come out in the next few weeks of what that will look like. But essentially with that baseline, we will take the same approach as we did when we launched FedRAMP, which was we put it out for public comments. We took it back with public comments to the JAB teams and looked at those public comments and looked where the baseline should be, and we had a new baseline. We are taking a lot of that into consideration, particularly a lot of those lessons learned over the last two years since the FedRAMP baseline was originally published."

Goodrich said the Joint Authorization Board (JAB) will consider what should be added and what shouldn't be in the baseline any longer.

Scott Renda, an Office of Management and Budget policy analyst, said one of the best attributes of FedRAMP is its flexibility. Renda, who is the portfolio manager for cloud computing at OMB, said if the government decides on new cyber requirements or if several agencies are adding similar security controls to their own version of FedRAMP, the governmentwide baseline isn't hard to update.

Military only ones to add to baseline

So far over the first two years, only DoD has added additional controls to the FedRAMP baseline.

Goodrich said the program management office hasn't heard from any other agencies which are following DoD's lead.

Scott Toulsey, the deputy director of the Cyber Security Division at the Science and Technology Directorate at DHS, said agencies should be aware of a few challenges before adding new controls.

"I know DHS is looking at some additional controls, but it's a little bit like the iceberg problem — you can think about additional controls to add above the water line, but we've all got lots of work executing the existing controls at a 99.9 percent level, not at an 80 percent level," he said. "We still get hit all too often with old, well-known problems that were not picked up for all sorts of typical reasons."

Goodrich said it's important to remind vendors and agencies that FedRAMP's goal was not to update or change the Federal Information Security Management Act (FISMA), but just to offer some transparency and consistency to the process. He said agencies don't need to add new controls to FedRAMP unless they would have added more controls to FISMA.

DoD decided to add more controls to certain aspects of FedRAMP.

Teri Takai, the DoD chief information officer, clarified comments she made at a recent NIST conference about the path DoD is taking for cloud security.

"As it relates to data classifications, because that's actually the way we look at the need for what standards. For data classification levels 1 and 2, we are following the NIST standards," Takai said in an interview after her speech at the conference. "So when you come in to become qualified to be a DoD cloud provider through the Defense Information Systems Agency cloud broker, we actually are using the FedRAMP standards. We do not have a set of developed standards that are exclusively DoD."

For higher data classification levels that FedRAMP hasn't certified yet, DoD does have an additional set of standards on top of the governmentwide baseline, she said.

"As FedRAMP begins to look at classified information and begins to look at the standards, we actually are inputting to FedRAMP what our second level of standards are, and they're looking at incorporating that into the standard FedRAMP," Takai said. "The idea is over time we would not have any additional or separate set. We all would be using the FedRAMP standards for all levels of classification of information."