- Cloud Computing Security Requirements Baselines;
- Continuous Monitoring; and a
- Potential Assessment & Authorization Approach.
An appendix contains materials on assessment procedures and security documentation templates. While the end goal of this FedRAMP initiative is to streamline federal governmental cloud computing vetting and procurement across agencies, it clearly remains to be seen how this ultimately works out in the field. As the guidance states, on page 46, in the introduction to Chapter 3, Potential Assessment & Authorization Approach:
“the end goal is to establish an on-going A&A approach that all Federal Agencies can leverage. To accomplish that goal, the following benefits are desired regardless of the operating approach:
- Inter-Agency vetted Cloud Computing Security Requirement baseline that is used across the Federal Government;
- Consistent interpretation and application of security requirement baseline in a cloud computing environment;
- Consistent interpretation of cloud service provider authorization packages using a standard set of processes and evaluation criteria;
- More consistent and efficient continuous monitoring of cloud computing environment/systems fostering cross-agency communication in best practices and shared knowledge; and
- Cost savings/avoidance realized due to the “Approve once, use often” concept for security authorization of cloud systems.
Check back for a detailed analysis of the draft Proposed Security Assessment and Authorization for U.S. Government Cloud Computing.