Friday is the deadline to submit comments on the Federal Risk and Authorization Management (FedRAMP) draft high baseline. With comments already pouring in, stakeholders are getting the first look at how the new security level will take shape.
The high baseline will authorize third-party cloud service providers to host sensitive data, including personally identifiable information and health records — information that could do serious harm if leaked.
Download: FedRAMP high baseline draft document
The baseline will not cover classified or unclassified controlled information, however. Defense agencies and other departments looking to put highly sensitive data (level 5 and 6) in the cloud will be looking to implement a FedRAMP high-plus, using the high baseline as a starting point with added, agency-specific requirements grafted on, as outlined in the Defense Information Systems Agency's most recent cloud security guidance.
More: DISA security guide outlines future of DoD cloud
The FedRAMP program office has already received more than 60 comments from 10 agencies and industry representatives, according to FedRAMP Director Matt Goodrich, who noted they usually received the vast majority of responses on the deadline date.
"I consider that a healthy number in advance of the final deadline," he said.
So far, the comments have generally fallen into one of three areas:
- More clearly defining parameter selections;
- Establishing who is responsible for implementing controls for various service models, such as Infrastructure-as-a-Service or Software-as-a-Service; and
- Additional guidance on how the controls apply to virtual boundaries and services.
After Friday's deadline, the FedRAMP PMO will bring together a "tiger team" from several federal agencies to help sift through the comments.
More: FedRAMP officials want dialogue on high-impact baseline
A second draft is expected this summer, with another 45-day comment period. The final high baseline is on track to be released before the end of 2015, Goodrich said.
Agencies have been eagerly awaiting a high baseline but that doesn't necessarily mean the moderate and low levels will be left behind.
"The high was needed for a lot of different agencies but I think cost is still going to be a prohibitor just to make your system a high," said Michael Smith, deputy CISO at CCSi, one of the third-party assessment organizations that performs FedRAMP reviews. "Having a system at a high baseline … is going to require extra resources. So I think cost is still going to be a factor in stopping system owners from doing an erroneous high-high-high when it's not necessary."
Those costs will eventually come down, Smith said, as more service providers get authorized, introducing more competition. But the ability to dial in the right requirements to meet an agency's needs is one of the main selling points of FedRAMP.
"We're in a climate where the federal space is trying to save money and be efficient in different areas," Smith said. "One of the main reasons FedRAMP has taken off is because agencies have been able to enjoy economy of scale — the flexibility to save money — that's going to help stem making everything a high system."
The process will also take a bit longer — a criticism already seen at the moderate level, where approvals take anywhere from nine to 16 months.
The larger number of controls and their more stringent nature will likely extend the review and assessment process by 60 days to 90 days, in Smith's estimation. Cloud providers could speed up the assessment time if they add more resources but that would also lead to higher costs.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.