After a year and a half of revisions and one intensive pilot, the Federal Risk and Authorization Management Program (FedRAMP) rolled out the final version of the high impact baseline, a framework for authorizing third party vendors to host some of the government's most sensitive data in the cloud.
Agencies are now able to certify cloud service providers (CSPs) to handle the kind of data that could affect "life and limb or lead to financial ruin," as FedRAMP Director Matt Goodrich explained.
"We first started creating this with [the Department of Homeland Security, Veterans Affairs, Department of Defense, Department of Justice and Health and Human Services]. If you think about it, that relates to what the high impact baseline, high impact systems really cover," he said, citing DoD's information on soldiers, VA and HHS's work with personal health information and the troves of sensitive data held by DOJ and DHS that could have major, immediate adverse effect on people if compromised.
Goodrich said the FedRAMP program office is working on an expedited pathway for CSPs with moderate certifications to obtain a high authorization but added that the process is designed to ensure that getting a high authorization isn't any harder than a low or moderate, so long as the CSP has the proper controls in place.
"That's the beauty of this: The requirements follow the same process," he explained. "So while a vendor does actually have to implement those controls and make sure they're in place, in terms of the process for the authorization and the way we've designed this, we believe it should be able to have the same return on investment and speed as moderate."
The high baseline includes more than 420 security controls — about 100 more than the moderate baseline — ranging from how virtual instances are segmented on a server to the physical security restricting access to data centers. Many of the broader ideas behind the controls are also included in the moderate level; the big difference is automation.
"Humans can mess things up. So if there is any place where a vendor can automate something, it likely has to be automated for the high baseline," Goodrich said. "We want to take out all the aspects of human error because you're looking at things that are life, limb or financial ruin."
He also noted the security level is higher than most systems in the private sector, which are generally at the moderate level.
FedRAMP officials first proposed the high baseline in January 2015 and spent most of last year refining drafts. Three CSPs — CSRA/Autonomic Resources, Microsoft's Azure GovCloud and Amazon Web Services' GovCloud — participated in a pilot program to upgrade their certifications from moderate to high.
That pilot wrapped in March and, for the last few months, FedRAMP officials have been working with the Department of Defense to align the high baseline with the latter's Level 4 controls to make the baseline more portable.
While systems certified at the high baseline will be able to hold less sensitive information, the new baseline won't preclude agencies from awarding new low and moderate authorizations, as those still have a place.
"The high was needed for a lot of different agencies but I think cost is still going to be a prohibitor just to make your system a high," Michael Smith, deputy CISO at CCSi, one of the third-party assessment organizations that performs FedRAMP reviews, told Federal Times last year as the high baseline was in development. "Having a system at a high baseline … is going to require extra resources. So I think cost is still going to be a factor in stopping system owners from doing an erroneous high-high-high when it's not necessary."
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.