In an effort to understand the FedRAMP process for Assessment and Authorization (A&A), it is important to look at the basic security controls that will drive the process of designing, implementing and documenting security controls into the Cloud Service Providers solution prior to going through the FedRAMP A&A process (or attesting compliance with the FedRAMP security requirements).
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter 1: Cloud Computing Security Requirement Baseline
Lines 83-85
83 These controls have been agreed to by a
84 Joint Approval Board made up of users from GSA, DHS & DOD for use within information
85 systems providing cloud computing services to the Federal government.
Suggests that FedRAMP requirements can be individually adopted by Agencies that want to acquire cloud services without using GSA (or for private companies wanting to ensure compliance with FedRAMP requirements without necessary requiring FedRAMP certification).
Lines 86-87
86 The security controls contained in this publication work in concert with NIST Special
87 Publication 800-53, Revision 3.
Since NIST SP 800-53, Rev. 3 was published in its original update form in August 2009 (with a errata update in May 2010), NIST has a periodic review cycle (
potentially every 2-years based on prior publication of NIST SP 800-53, Rev. 2 in December 2007) to update or deprecate controls where necessary to address changes in the current threat environment. Since the FedRAMP security requirement baseline is driven from NIST SP 800-53, adjustments to the NIST publications will require a review and update (where applicable) of the FedRAMP security requirements. Therefore, Cloud Security Providers will need to be vigilant of the changes in NIST publications to ensure any changes to the FedRAMP security requirements are addressed within their cloud solution to ensure continued authorization to operate (ATO).
NIST SP 800-53, Rev. 3 states:
"The security control catalog in Appendix F will be updated as needed with new controls developed from national- level threat databases containing information on known cyber attacks. The proposed modifications to security controls and security control baselines will be carefully weighed with each revision cycle, considering the desire for stability on one hand, and the need to respond to changing threats and vulnerabilities, new attack methods, new technologies, and the important objective of raising the foundational level of security over time. Organizations may develop new controls when appropriate controls are not available in Appendix F."
Although NIST SP 800-53, Rev. 3 has uniquely established a baseline for Low- and Moderate Impact Levels, the FedRAMP security requirements where noted in bold as having identified additional control requirements (e.g., enhancements) that go beyond those basic requirements defined for a Low- and Moderate information system in NIST SP 800-53. This is an extremely important aspect when considering the cost-benefit analysis for conducting an Agency-specific C&A (or A&A) for a cloud/non-cloud environment (assuming Agencies or vendors will be conducting their own assessment based on the FedRAMP process).
Additionally, it is important to note the reference of the JAB, which is defined as the Joint Authorization Board, within the Additional Requirements and Guidance column as having to be the approval authority - “approved and accepted by the JAB.” This may require extensive coordination and could cause delays or impacts when Cloud Service Providers (through their sponsoring Agency) try to seek approval or have to wait for the JAB to meet (either formally or informally).
Questions - How often does the JAB meeting, who are the members, and how are they organized?
According to GSA, the JAB is comprised of 3 permanent members - DoD, DHS, and GSA, with the sponsoring agency being added based on the sponsored Cloud Service Provider.
More...