FedRAMP High Baseline Requirements released

FedRAMP authorizes three CSPs for high impact systems

Federal agencies can now store high impact data in the cloud, thanks to the Federal Risk and Authorization Management Program’s release of “high” baseline requirements and an initial trio of vendor authorizations.

The security requirements will protect high impact data -- the government’s most sensitive unclassified data -- in the cloud, according to FedRAMP.

Provisional Authority to Operate  at the high baseline has been issued to Microsoft’s Azure GovCloud, Amazon Web Services GovCloud and CSRA’s Autonomic Resources Cloud Platform. The "FedRAMP High" requirements were being piloted with these vendors by the Joint Authorization Board before the release.

Previously, FedRAMP’s authorization process only covered low- and moderate-impact systems and data. With the high baseline requirements, more federal agencies can move to the cloud and leverage the authorized vendors’ security packages, according to GSA.

The National Institute of Standards and Technology classifies data as high impact if a breach would severely impact an organization’s operations, assets or individuals. This includes personally identifiable information, sensitive patient records, financial data, law enforcement data and controlled unclassified information (CUI). 

Launched in 2011, the AWS GovCloud is an isolated region designed to host sensitive workloads in the cloud. In addition to FedRAMP compliance, AWS GovCloud adheres to U.S. International Traffic in Arms Regulations and Criminal Justice Information Services requirements, as well as Levels 2 and 4 for Defense Department systems, the company said.

Microsoft’s Azure GovCloud authorization covers 13 services, including Azure Key Vault, Express Route and additional customer-facing and internal web applications. Microsoft also announced reaching Information Impact Level 4 DOD Provisional Authorization by the Defense Information System Agency and ITAR readiness, which will allow the DOD and its mission partners to use Azure for CUI. In 2014 Microsoft announced Azure Government’s ability to meet CJIS requirements for federal, state and local governments.

Agencies are already using the high baseline service and are migrating high-impact data to the cloud with authorized vendors, FedRAMP Director Matt Goodrich told FCW, a sister site to GCN. The high baseline could also pave way for more cloud procurement for federal agencies because low and moderate security systems were only addressing about half of the $80 billion federal IT spend, Goodrich said.  Now, all security baseline needs short of classified can be met with cloud services.  

About the Author

Amanda Ziadeh is a Reporter/Producer for GCN.

Prior to joining 1105 Media, Ziadeh was a contributing journalist for USA Today Travel's Experience Food and Wine site. She's also held a communications assistant position with the University of Maryland Office of the Comptroller, and has reported for the American Journalism Review, Capitol File Magazine and DC Magazine.

Ziadeh is a graduate of the University of Maryland where her emphasis was multimedia journalism and French studies.

Click here for previous articles by Ms. Ziadeh or connect with her on Twitter: @aziadeh610.


inside gcn

  • cybersecure new york city

    NYC looks to improve cybersecurity, broadband

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above