The FedRAMP Security Requirements "describes the U.S. Government's proposed Assessment and Authorization (A&A) for U.S. Government Cloud Computing."� In chapter 1, the FedRAMP PMO defined the proposed requirements (security controls) for a Low- and Moderate-Impact Cloud Computing environment (although not specifically characterizing any specific applicability to the Cloud Delivery or Service Model).� In addition, the FedRAMP (DRAFT) publication draws on the existing NIST standards and guidelines to support the authroization of Cloud Services for the Federal Government.� However, the FedRAMP publication limits the scope and tailoring of the control requirements to specifying the control parameters [refer to Section 3.3 within NIST SP 800-53, Rev. 3] and adding some additional Control Requirements and Supplemental Guidance to that which already exists within the Security Control Catalog (refer to NIST SP 800-53, Rev 3 - Appendix F).
In the past, NIST has supplemented NIST SP 800-53 to address "information system that differ significantly from traditional administrative, mission support, and scientific data processing information systems." (Refer to NIST SP 800-53 - Appendix I which establish a security control baseline specific to Industrial Control Systems).� Although, Cloud Computing is not a new technology, it is a unique capability with unique security challenges.
The FedRAMP Cloud Computing Security Requirements Baseline section within FedRAMP.net (http://www.fedramp.net/Cloud\+Computing\+Security\+Requirements\+Baseline\) will focus on exploring the selected security control baseline as part of the "Proposed Security Assessment & Authorization for U.S. Government Cloud Computing (DRAFT)" to:
- Ensure coverage and applicability within Cloud Computing operating environments and within NIST SP 800-53, Rev. 3;
- Identify and address Cloud-specific security considerations relevant to the objectives of each security control; and
- List relevant references to support implementation and assessment
If you are interested in contributing your input, register at FedRAMP.net.
