FedRAMP Draft High-Impact Systems Standards Open For Public Comment

By Christine Kern, contributing writer

FedRAMP released draft standards that will serve as a baseline for securing federal high-impact systems in the cloud. The standards will be open for a 45-day public comment period ending on March 13, 2015, and they are anticipated to be finalized by the end of 2015.

According to Fed Tech Magazine, included in the high-impact systems category are all cyber-critical infrastructure and key resources identified by a given agency’s Homeland Security Policy Directive 7 plans. FedRAMP Director Matt Goodrich explained that the standards provide industry with clarification for the first time regarding how to implement security requirements as well as providing justification for why standards were selected. “What we want to do is really have a thoughtful dialogue around those security controls that we think are needed at the high baseline,” FedRAMP Director Matt Goodrich said at an FCW cloud-computing event in Washington, D.C., in January, quoted by Fed Tech Magazine.

The baseline was created by FedRAMP in conjunction several agencies, including Defense, Justice, Homeland Security, Veterans Affairs and Health and Human Services. Combined, these agencies represent 75 percent of the market for high-impact systems. The National Institute of Standards and Technology (NIST) was also consulted, since the draft standards are based on NIST Special Publication 800-53, Revision 4.

A spreadsheet detailing the security controls is available for download here. ​

After comments are collected, FedRAMP will convene government stakeholders to review and address them, followed by a second round of public comments, sometime in the Summer of 2015, to provide adjudications of the comments received prior to finalization.

The FedRAMP office also will release draft guidance for agencies regarding the effective inclusion of FedRAMP standards in their contracts. The draft guidance will have a month-long open comment period.