By Abel Sussman, Director, TAAS–Public Sector and Cyber Risk Advisory, Coalfire
The Federal Risk and Authorization Management Program (FedRAMP) Project Management Office officially released its High baseline for High impact-level systems. This baseline is at the High/High/High categorization level for confidentiality, integrity, and availability in accordance with FIPS 199; and is mapped to the security controls from the NIST SP 800-53, Rev. 4 catalog of security controls. Previously, the FedRAMP authorization process was only designed for low and moderate impact systems. The number of controls for each of the FedRAMP defined impact system levels is presented below:
The release cumulates several months of work from the FedRAMP PMO, numerous agencies, cloud service providers and key stakeholders that established the draft baseline, collected industry and federal comments, and completed pilot programs.
FedRAMP High Baseline
The establishment of the FedRAMP High Security baseline is critical for federal agencies to migrate more high-impact level data to the cloud. The High baseline is the strongest FedRAMP level to date, covering sensitive, unclassified data. According to FedRAMP Director Matt Goodrich, most of the information to be covered under the High baseline will be law enforcement data and patient health records. This should cover the needs of several civilian agencies, the Department of Defense (DoD), and the Department of Veterans Affairs (VA).
FedRAMP High Baseline Authorized Cloud Service Providers
The three Infrastructure-as-a-Service (IaaS) providers who participated in the FedRAMP High baseline pilot program and achieved Authorization are:
- Microsoft’s Azure GovCloud
- Amazon Web Services GovCloud
- CSRA / Autonomic Resources’ ARC-P
Federal agencies are able to review these vendor’s security packages, through OMB MAX, to begin to use these services immediately.
Coalfire was one of the earliest Third Party Assessment Organizations (3PAO) in FedRAMP, providing FedRAMP assessment or advisory services to cloud service providers in pursuit of their FedRAMP P-ATO or Agency ATO. If you’d like to talk to one of our staff about the new FedRAMP High baseline or have questions about the FedRAMP process, please contact us.