Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
FedRAMP includes 168 security controls
Monday - 1/9/2012, 6:10pm EST
Vendors wanting to provide cloud service to the government must meet as many as 168 security controls under the FedRAMP program.
The General Services Administration released specific requirements around each of the security controls for FedRAMP last week for systems needing low and moderate security levels.
GSA and the departments of Defense and Homeland Security based these controls on the National Institute of Standards and Technology cybersecurity guidance, called special publication 800-53, Revision 3, for the Federal Information Security Management Act (FISMA).
GSA and the Industry Advisory Council (IAC) will hold an industry day for the security controls Wednesday in Vienna, Va.
GSA, DHS, and DoD, which lead the Joint Authorization Board for FedRAMP, released the draft security controls in November 2010 and received more than 1,000 comments, of which 350 addressed the security controls.
"To address these comments, the FedRAMP Program Management Office (PMO) created Tiger Teams with representatives from across the federal government to review, analyze and make recommendations for actions based on each comment. The FedRAMP JAB then reviewed and adjudicated these recommendations to create the FedRAMP security controls and enhancements presented in this document," according to a document released with the controls from the JAB.
The JAB will detail the implementation of the security controls in three publications that it will publish in the next six months:
- System Security Plan will detail how the requirements of each security control will be met within a cloud computing environment by answering several questions including what is the technology, who is responsible for implementation and when will the technology be implemented.
- Security Assessment Plan will detail how each control implementation will be assessed and tested to ensure it meets the requirements.
- Security Assessment Report will detail the issues, findings and recommendations from the security control assessments detailed in the Security Assessment Plan.
GSA, DHS and DoD plan to release the details of how all of this fits together in the FedRAMP concept-of-operations on Feb. 7.
GSA released the requirements for third party assessment vendors Dec. 8 and started accepting applications today.
This story is part of Federal News Radio's daily Cybersecurity Update. For more cybersecurity news, click here.