The Federal Risk and Authorization Management Program publicly released its high-impact baseline for cloud security Wednesday to gather feedback for a final revision in the coming months.
The document is a key part of FedRAMP’s two-year roadmap to refine the way the government procures cloud computing services.
The baseline document, which is posted on fedramp.gov, lays out a litany of controls cloud service providers must check off before storing agencies’ highly sensitive data, like electronic health records or other personally identifiable information.
The document calls for CSPs to outline more than 800 different security controls, including access control, incident response, physical and environmental protection, and risk assessment, among others.
At a cloud computing conference earlier this month, FedRAMP Director Matt Goodrich said the baseline was established with the help of the departments of Defense, Homeland Security, Veterans Affairs, Justice, and Health and Human Services. Information was also pulled from a number of data sets, including PortfolioStat and DHS’ inventory on agencies’ Federal Information Security Management Act, or FISMA, requirements.
The public comment period is open until March 13. The program will then release further draft revisions over the course of the year.