The General Services Administration released the baseline security controls that federal agencies and cloud service providers must implement within a cloud computing environment to satisfy FedRAMP requirements.
Many of the baseline controls have been taken from National Institute of Standards and Technology Special Publication 800-53 Rev. 3, including a requirement that passwords constitute at least a 12-character mix of upper and lower case letters, numbers and special characters.
“The security controls approved by the [Joint Advisory Board] have gone through an extensive vetting process that began last year with the initial release of FedRAMP documentation,” Department of Homeland Security Chief Information Officer Richard Spires said.
“Since then, the JAB received and incorporated feedback from industry and government alike, to create a baseline of controls to properly address the unique elements of authorizing cloud products and services, including multi-tenancy, control of an infrastructure, and shared resource pooling. This baseline serves all Federal agencies and CSPs, to which additional controls may be added by agencies to meet specific requirements.”
Cloud computing providers will have 30 days under the FedRAMP controls to correct high risk vulnerabilities, while the time period for rectifying moderate risk vulnerabilities is 90 days. Providers must also conduct at least quarterly vulnerability scans of operating systems, web applications and databases, the controls say.
As part of the program, FedRAMP will make publicly available all of the requirements needed to obtain a security authorization for a cloud product or service. The FedRAMP PMO will address questions concerning these controls at questions@FedRAMP.gov.
FedRAMP Security Controls Preface
FedRAMP Baseline Security Controls v1.0