The National Institute of Standards and Technology issued the fourth generation of its cloud security controls guidelines more than two years ago but cloud service providers seeking authority to operate in the federal sector haven't had to meet those standards.
That all changes on Jan. 1, as the Federal Risk and Authorization Management Program (FedRAMP) officially makes the transition from Revision 3 to Revision 4 of the Privacy Controls for Federal Information Systems and Organizations (SP 800-53). The Department of Defense will follow the FedRAMP office's lead in the transition, according to a Veris Group report.
FREE WHITEPAPER: The brave new cloud
Starting in the new year, the FedRAMP program office — including the Joint Authorization Board and ATOs submitted through agencies — will only accept documentation proving a CSPs ability to meet Rev4 standards. This includes new authorizations, as well as annual assessments.
The FedRAMP program office is easing the shift by offering a transition guide and templates to help CSPs realign their documentation. The guide was finalized in June 2014, giving CSPs 18 months to make the transition.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
