via Fierce Government IT
Federal officials at work on the Federal Risk and Authorization Management Program have agreed on a set of minimal common security controls for cloud computing, said a senior General Services Administration official March 29.
Officials from the departments of Defense and Homeland Security, and GSA, have identified 114 Federal Information Security Management Act security controls, plus an additional four to five continuous monitoring controls that will form the FedRAMP baseline, said Sanjeev “Sonny” Bhagowalia, GSA deputy associate administrator in the office of citizen services and innovative technologies. He spoke before an industry audience in Arlington, Va. assembled for an Industry Advisory Council network and telecommunications special interest group meeting.
The intent behind FedRAMP is to allow agencies to make use of commonly accepted risk assessments and cybersecurity evaluations of low to moderate impact cloud services, allowing federal agencies to implement a cloud solution without having to individually certify and accredit the solution for themselves. (“Certification and accreditation,” a prerequisite from FISMA for a system to operate within an agency network is also being called “assessment and authorization” under some circumstances these days.)
“We have come up with a way, we think, of a unified set of controls and a new policy and a model of how we’re going to make this work,” Bhagowalia said.