FedRAMP includes 168 security controls

Monday - 1/9/2012, 6:10pm EST

(Correction: Due to a miscalculation, Federal News Radio incorrectly listed the number of security controls. The correct number is 168.)

Vendors wanting to provide cloud service to the government must meet as many as 168 security controls under the FedRAMP program.

The General Services Administration released specific requirements around each of the security controls for FedRAMP last week for systems needing low and moderate security levels.

GSA and the departments of Defense and Homeland Security based these controls on the National Institute of Standards and Technology cybersecurity guidance, called special publication 800-53, Revision 3, for the Federal Information Security Management Act (FISMA).

GSA and the Industry Advisory Council (IAC) will hold an industry day for the security controls Wednesday in Vienna, Va.

GSA, DHS, and DoD, which lead the Joint Authorization Board for FedRAMP, released the draft security controls in November 2010 and received more than 1,000 comments, of which 350 addressed the security controls.

"To address these comments, the FedRAMP Program Management Office (PMO) created Tiger Teams with representatives from across the federal government to review, analyze and make recommendations for actions based on each comment. The FedRAMP JAB then reviewed and adjudicated these recommendations to create the FedRAMP security controls and enhancements presented in this document," according to a document released with the controls from the JAB.

The JAB will detail the implementation of the security controls in three publications that it will publish in the next six months:

  • System Security Plan will detail how the requirements of each security control will be met within a cloud computing environment by answering several questions including what is the technology, who is responsible for implementation and when will the technology be implemented.

  • Security Assessment Plan will detail how each control implementation will be assessed and tested to ensure it meets the requirements.

  • Security Assessment Report will detail the issues, findings and recommendations from the security control assessments detailed in the Security Assessment Plan.
Vendors must receive initial approval from third party assessment organizations that they meet the security controls. Then, the JAB gives the contractor a provisional authority to operate and provide cloud services. The agency buying the cloud services gives the vendor the final authority to operate based on their assessment the service's security.

GSA, DHS and DoD plan to release the details of how all of this fits together in the FedRAMP concept-of-operations on Feb. 7.

GSA released the requirements for third party assessment vendors Dec. 8 and started accepting applications today.

This story is part of Federal News Radio's daily Cybersecurity Update. For more cybersecurity news, click here.

RELATED STORIES:

New FedRAMP standards first step to secure cloud computing

GSA to tighten oversight of conflict-of-interest rules for FedRAMP

What does finalized FedRAMP plan mean for industry?