The Federal Risk and Authorization Management Program (FedRAMP) wants to accelerate the adoption and use of secure cloud services across government.
When FedRAMP launched five years ago, most in government hesitated to move to the cloud, in part because of lingering security concerns. With this in mind, FedRAMP launched in phases to help ease the transition.
Starting with low and moderate security standards, FedRAMP authorized cloud solutions that covered the vast majority of systems that agencies wanted to move to the cloud. This included public websites, customer relationship management platforms, and even email systems — nearly 80 percent of all federal information systems.
The moderate security requirements removed many preconceived notions that the cloud is less secure than on-premises solutions. We’ve shown server huggers across government that security typically improves in the cloud.
These authorizations allowed government to more fully realize the promise of the cloud: namely, the utilization of flexible, cutting-edge technologies in a cost-effective model where agencies pay only for services as they use them.
FedRAMP’s Next Phase
FedRAMP’s success led to demand from a growing number of agencies to move more sensitive workloads to the cloud. Until now, FedRAMP hasn’t supported this need, but that recently changed with the release of the High Baseline Requirements.
By definition, high-impact systems process and store data that, if it were compromised, would pose a severe risk to life and limb, or could cause financial ruin. These include systems such as law enforcement databases, defense systems, healthcare applications and financial accounts.
In January 2015, the FedRAMP Joint Authorization Board (JAB) created the first draft of a high-security control baseline. We vetted the draft through a number of government’s largest departments, along with two rounds of public comments. We completed the baseline this past winter after further internal reviews.
Many of the differences between the moderate-baseline requirements and the high-baseline requirements relate to automation. The high-security baseline calls for cloud providers to automate any processes or policies that can be automated to eliminate the potential for human error.
While creating and vetting the baseline, we also piloted a process for the Joint Authorization Board to assess vendors at the high-impact level. We had three goals for this pilot:
- To determine whether commercial providers in a cloud environment could implement the draft FedRAMP high baseline. We wanted to ensure the final baseline requirements weren’t academic, but ones commercial vendors could actually meet through the authorization process.
- To authorize vendors in conjunction with the release of the high-baseline requirements. This would allow agencies to use high-security cloud services immediately.
- To give high-security system owners assurance that the JAB’s provisional authorization process adequately tested vendor systems to ensure security.
To test the high baseline, we used the same process as for low and moderate systems. The process relies on the National Institute of Standards and Technology’s Risk Management Framework.
The high-baseline documentation templates feature the same language, updated to include the new controls. Although we tested the baseline with vendors pursuing a JAB provisional authorization, cloud service providers, in the future, will be able to use the high baseline to pursue either JAB provisional authority to operate or agency authority to operate.
Through the completion of the pilot, we provisionally authorized three services through the JAB, including Microsoft Azure’s GovCloud, Amazon's GovCloud, and Autonomic Resources / CSRA.
While testing the process with our vendor partners, we learned lessons that will help other vendors moving forward, such as the need to have significant automation and mandatory use of Federal Information Processing Standard (FIPS) 140-2 encryption, which specifies the security requirements that must be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information.
This major enhancement to FedRAMP allows agencies to leverage this new standard and the provisional authorization at the high baseline. This allows agencies to move more sensitive information and systems to the cloud — breaking into the $40 billion market of high-impact systems across the federal government.