Trending
FedRAMP issues high-security baseline
$50B is the maximum contract ceiling for GSA’s Alliant 2 RFP
The General Services Administration issued its long-awaited high-securi- ty baseline for the Federal Risk and Authorization Management Program on June 22.
Previously, federal agencies could migrate only low- and moderate-impact workloads to cloud service providers. The release of the high baseline will allow agencies to more widely use cloud services for their most critical data, FedRAMP Director Matt Goodrich said.
And they can begin immediately. “We already have three vendors ready,” he added. “Agencies are already using the service.”
The three vendors participated in a pilot test of the new high base- line, and they are among the largest CSPs: Microsoft Azure, CSRA and Amazon Web Services. Each now has provisional authority to operate from FedRAMP’s Joint Authorization Board.
The high baseline will allow CSPs to handle and store data — such as personally identifiable information or health records — that if compromised could severely harm agency operations, assets or people.
The new baseline could expand cloud procurement across the entire federal government.
“With low and moderate [security standards], we addressed about half,
or $40 billion,” of the $80 billion fed- eral IT market, Goodrich said. Those baselines couldn’t address the security needs of the other $40 billion of federal IT spending, however.
More than a year in the making, the high-security baseline has been subject- ed to extensive public comment from
is one of the three agencies — along with GSA and the Defense Department — whose CIOs make up the JAB. DHS has other, broader responsibilities for federal network protection and has shown itself to be a stickler for detail.
Goodrich told FCW the lengthy time- line for developing the baseline helped
stakeholders. FedRAMP’s Program Management Office issued a second draft earlier this year that looked at controls after getting input from com- mercial and federal stakeholders.
GSA has been polishing the lat- est draft for months, but the release date kept slipping. FCW learned that some of the delay was attributable to a lengthy Department of Homeland Security review. Multiple sources con- firmed that the document had been under DHS review for the past month as final touches were made to one con- trol feature in particular.
DHS approval is needed because it
— MATT GOODRICH, GSA
ensure that it would be effective for the critical services it seeks to protect. “With the moderate baseline, you can have shared services outside the boundary” and other less stringent requirements, Goodrich said. “With the high baseline, you can’t be outside the
boundary.”
GSA worked with CSPs, third-party
assessment organizations and the other two JAB agencies to refine the base- line. Goodrich said the collaboration will help efforts to speed cloud approv- als through the FedRAMP Accelerated program.
— Mark Rockwell
“With the moderate baseline, you can have shared services outside the boundary. With the high baseline, you can’t be outside the boundary.”
FCW CALENDAR
7/20 Cybersecurity
ACT-IAC is hosting a forum focused on communicating
cyber risks and the value of cybersecurity efforts across the organization.
Washington, D.C. is.gd/ACTIAC_cyber
8/4-7 Emerging tech
The final round of DARPA’s Cyber Grand Challenge —
dubbed the world’s first all-machine hacking tournament — will be held at DEF CON 24.
Las Vegas
defcon.org
8/10 Cloud
Justice Department CIO Joseph Klimavicz, Transportation
Security Administration CIO Stephen Rice and Army Deputy CIO Gary Wang are among the speakers at FCW’s Cloud Summit. Washington, D.C. is.gd/FCW_cloudsummit
July 15, 2016 FCW.COM 3
ZAID HAMID