FedRAMP’s Release of High Baseline Requirements Could Signal Shift in Cloud Adoption
The federal government has been encouraging agencies to adopt a “cloud first” mentality for years, but now agencies may finally have a tool that will make them more comfortable with putting sensitive information in the cloud. That could increase the adoption of cloud services across the government.
Late last month, the General Services Administration (GSA) unveiled the “High Baseline Requirements” for its Federal Risk and Authorization Management Program, better known as FedRAMP.
The GSA has been working to streamline the approval process for the program’s cloud service providers (CSPs) so they can be used by agencies. The release of the High Baseline Requirements means that agencies can use cloud services that meet the new requirements to protect sensitive, unclassified data in cloud environments, including data that, if leaked, could lead to loss of life and financial ruin.
A New, Secure Model
Why is the release of the requirements so important? As FedRAMP notes, while 80 percent of federal information is categorized as “low and moderate impact levels,” protecting that data represents only about 50 percent of federal IT spending. The new High Baseline Requirements cover the other half of federal IT spending.
The GSA has been working on releasing the High Baseline Requirements for a while. As FedScoop reports: “The baseline, which has been in the works since January 2015, adds 100 security controls on top the program’s moderate impact level. With 421 controls in place, the baseline allows over half of the budget dedicated to federal IT to explore updating their legacy systems by moving to the cloud.”
FedRAMP Director Matt Goodrich said in a statement that the requirements’ release “breaks down a huge barrier” to federal cloud adoption. “The federal government spends more than $40 billion annually on high impact systems — these are some of the most highly sensitive systems the government maintains,” he said. “The high baseline requirements and provisional authorizations will allow the government to more fully realize the efficiencies and cost savings related to using cloud services.”
Along with the release of the new requirements, the FedRAMP Joint Authorization Board, which is made up of the CIOs of the GSA, the Department of Defense and the Department of Homeland Security, also provisionally authorized three cloud vendors that have demonstrated compliance with the requirements. One of those is Microsoft’s Azure GovCloud.
What Will This Mean for Cloud Adoption?
The new High Baseline Requirements could make federal agencies more comfortable with the cloud.
If IT leaders believe they can safely store all of their sensitive information in the cloud, they are more likely to adopt cloud services for their entire enterprise rather than keep their sensitive data in on-premises data centers.
“This is definitely a pinnacle in the process — a turning point,” Pam Walker, senior director of federal public sector technology at the Information Technology Industry Council, told Federal Times. “One of the reasons you would always see for agencies not wanting to adopt cloud and moving toward that is they would always bring up security: The cloud is insecure, we can’t put our information over there.”
Although the new requirements will not relieve agencies from securing their data, the guidelines should offer a new measure of confidence in the security of the cloud systems the agencies are using.