Now that the new cloud standards for high security systems are out under the Federal Risk Authorization Management Program (FedRAMP), the next step is to normalize the standards with the Defense Department’s security requirements guide for level 4 systems.
DoD’s SRG level-4 is for controlled unclassified information or other mission critical information. DoD updated its SRG in March, saying level 4 is considered FedRAMP-plus for security controls.
According to a white paper from Coalfire Public Sector, the DoD level-4 SRG has 370 total controls, up from 326 under FedRAMP moderate and DoD SRG Level 2.
The Defense Information Systems Agency plans to update the SRG now that the FedRAMP high baseline version 1.0 is final.
Matt Goodrich, the FedRAMP director, said the number of controls under the high baseline increased to 421 from 325, including several required by DoD.
“A vast majority of the new controls relate to stricter processes and automation requirements around technical implementations,” he said. “There weren’t major changes in terms of capabilities [as compared to the draft high baseline], but there were a few control additions and tighter implementations that are present in the final baseline that were not in the original baseline requirements.”
One area that FedRAMP high included was stronger authentication. DoD’s SRG level 4 requires the use of DoD Common Access Card or alternative public key infrastructure token to authenticate users.
Michael Carter, the vice president of governance, risk and compliance at the Veris Group, said the new controls reflect those needs. He said the high baseline requires cloud service providers (CSPs) to use more automation to ensure the security controls work, and for how users authenticate in to the more strict security environment.
“It’s about getting reassurance at the high level that cloud service providers take security seriously and want to do business in high space,” he said. “The biggest sticking points were around e-authentication where under FedRAMP moderate something like a RSA token, a one-time token that is separate from the username and password. But going to the high baseline, CSPs needed to have a validated authentication credential on the backend so it has to have hard crypto token using NIST FIPS 140-2. That could be deal breaker on the back end for many cloud providers. Honestly, this is why some approvals took time. A lot of it comes down to automation and how providers build it in to their processes.”
FedRAMP’s Joint Authorization Board (JAB) focused on DoD’s needs for two reasons. The first, the DoD Chief Information Officer Terry Halvorsen is member of the JAB, along with the CIOs from the General Services Administration and the Homeland Security Department.
But more importantly, the Pentagon accounts for 33 percent of all high information systems across the government, making DoD the largest potential user of these services.
Additionally, the Veterans Affairs Department runs 16 percent of all high systems so about 50 percent of all these networks and apps server service members or veterans.
Goodrich said FedRAMP will focus only on level 4 for now.
“Requirements at the level 5 have some very specific things related to DoD-only systems and some physical segregation,” Goodrich said during a recent webinar on the high baseline.
Along with DoD, DHS (13 percent), the Justice Department (10 percent), the Department of Health of Human Services (6 percent), the Treasury Department (5 percent) and NASA (4 percent) have the next largest percentages of high-impact systems.
Carter said Veris, which works with CSPs under FedRAMP’s third-party provider assessment organization (3PAO) program, is seeing interest in moving to the high baseline from several of its customers.
“Quite a few customers, maybe 10-to-15 percent will ask about getting approved at the high baseline level,” Carter said. “Normally, they are customers who were going down the DoD SRG level 4 path anyways so if they just do FedRAMP high, then they will meet SRG level 4 too.”
So far three vendors, Microsoft, Amazon and Autonomic Resources have received approval for their cloud services under the high-baseline.
Veris worked with Amazon and Autonomic Resources on the high baseline pilot program.
Carter said the pilot started last fall and lasted until February.
“The biggest outcome of the pilot was it helped us flesh out those new controls and make sure we were covering everything we need to,” he said. “Now that the baseline is finalized and security controls are part of the workflow, the 3PAO community built a workbook for the pilot as a way to bring in new efficiencies. The JAB also was more efficient because it had dedicated staff to work on the high baseline approvals. I think some of those efficiencies led to FedRAMP accelerated process as well.”