Matt Goodrich, the director of the Federal Risk and Authorization Management Program, told attendees of a cloud computing conference Thursday that the first draft the program’s new high-security baseline would come out before the end of the month.
Constructed with input from the departments of Defense, Homeland Security, Veterans Affairs, Justice and Health and Human Services, the new baseline aims to standardize how agencies can store data with higher sensitivity levels. Goodrich said it uses information pulled from a number of data sets, including PortfolioStat and DHS’ inventory on agencies’ Federal Information Security Management Act requirements.
The public will have 45 days to comment, after which FedRAMP will reassess the baseline and again reopen it for comment.
“One thing that is different that I think industries and agencies will appreciate is previously we have put things like this out for comment and say, ‘Here is the baseline, respond to it,'” Goodrich said. “What we are doing this time is trying to have more open dialog with agencies and industry by saying, ‘Here’s what we selected for the baseline and here’s why.'”
The new baseline comes as part of FedRAMP Forward, the two-year roadmap unveiled last month that seeks to refine the cloud security process for agencies, cloud service providers (CSPs) and the independent third parties (3PAOs) that approve the services for use.
During his talk, which aimed to provide some calm to what he called the “crazy landscape” of cybersecurity, Goodrich also outlined other developments that are happening ahead of schedule, including the upcoming debut of a redesigned FedRAMP.gov. The new site will have improved user experience as well as access to information about training sessions for agencies, CSPs and 3PAOs so they understand the full landscape of the government’s cloud computing efforts.
“We’ve built our program on stakeholder buy-in and transparency and consensus building, so we’ve been really transparent with our clients, but I don’t really know that we’ve always been so transparent as a [Program Management Office],” Goodrich said.
Goodrich also said FedRAMP will be creating working groups to help figure out compliance methods for government mandates like Personal Identity Verification or Homeland Security Presidential Directive 12.
“Whether its something like Heartbleed or a new initiative like CDM, [we are] making sure we continue to adapt and make sure that the program is relevant to the ever-changing landscape,” Goodrich said.
Hear more about FedRAMP’s plan when Matt Goodrich speaks Feb. 3 at the Adobe Digital Government Forum, which is presented by FedScoop. For more information, visit the forum’s website.