The FedRAMP Security Requirements "describes the U.S. Government’s proposed Assessment and Authorization (A&A) for U.S. Government Cloud Computing." In chapter 1, the FedRAMP PMO defined the proposed requirements (security controls) for a Low- and Moderate-Impact Cloud Computing environment (although not specifically characterizing any specific applicability to the Cloud Delivery or Service Model). In addition, the FedRAMP (DRAFT) publication draws on the existing NIST standards and guidelines to support the authroization of Cloud Services for the Federal Government. However, the FedRAMP publication limits the scope and tailoring of the control requirements to specifying the control parameters [refer to Section 3.3 within NIST SP 800-53, Rev. 3] and adding some additional Control Requirements and Supplemental Guidance to that which already exists within the Security Control Catalog (refer to NIST SP 800-53, Rev 3 - Appendix F).
In the past, NIST has supplemented NIST SP 800-53 to address "information system that differ significantly from traditional administrative, mission support, and scientific data processing information systems." (Refer to NIST SP 800-53 - Appendix I which establish a security control baseline specific to Industrial Control Systems). Although, Cloud Computing is not a new technology, it is a unique capability with unique security challenges.
The FedRAMP Cloud Computing Security Requirements Baseline section within FedRAMP.net (http://www.fedramp.net/Cloud+Computing+Security+Requirements+Baseline) will focus on exploring the selected security control baseline as part of the "Proposed Security Assessment & Authorization for U.S. Government Cloud Computing (DRAFT)" to:
- Ensure coverage and applicability within Cloud Computing operating environments and within NIST SP 800-53, Rev. 3;
- Identify and address Cloud-specific security considerations relevant to the objectives of each security control; and
- List relevant references to support implementation and assessment
If you are interested in contributing your input, register at FedRAMP.net.