9 years ago

FedRAMP’s Security Standards for Sensitive Data in the Cloud

Share in:
Share in:

Security is very important in cloud computing.

Security has always been an issue when it comes to cloud computing. It seems that naysayers are contending that if you get onto the cloud, your data will be at risk. However, security on the cloud has been beefed up over the years and even the Federal government is trusting putting sensitive information on the cloud now.

It begs the question: What does the federal government use to secure their data? We can get answers by taking a look at the draft security standards prepared by the Federal Risk and Authorization Management Program.

The new standards have one purpose: to protect the most sensitive unclassified data that the government keeps in cloud computing platforms. These are high-impact systems residing in the cloud, and the logical continuation to the government’s efforts to secure low and moderate impact systems. The security document would be a good start to see how disrupted systems would affect organizations, their operations and their assets.

High impact systems are those that are needed to support various agencies’ operations continuity including cyber critical infrastructure and other key resources.

The draft is FedRAMP’s first try and is the product of months of hard work. The team also worked with a variety of agencies to come up with the proposed requirements, including Defense, Homeland Security, Health and Human Services, Justice and Veterans Affairs. These departments are responsible for around 75 per cent of all high impact systems in the government. The requirements are based on the National Institute of Standards and Technology Special Publication 800-53, Revision 4.

Officials of Federal Risk and Authorization Management Program are now seeking comment on the proposal before the proposal is finalized at the end of this year. The initial call for comment would be for 45 days from the draft’s release on January 27. The second draft will then be released for another round of public comments before the final version is released, hopefully before 2015 ends.


The draft and the subsequent final version will be the most comprehensive, rigorous and stringent set of cloud security standards, the FedRAMP says that the standards will continue to evolve. The current set of standards took its cue from final versions of standards for low baseline and moderate baseline systems as well as the FedRAMP controls launched in June 2014.

The proposed guidelines would be very important. This is the first document to give the industry a way to clarify how to implement security requirements for their systems. It also explains why certain security standards were chosen and why others were not. The high level of detail should spark conversations wherein the public and other stakeholders can point out which standards are missing and which are not necessary, along with a explanation for their opinions.   The public might also be able to give cost saving alternatives that would help agencies cut costs while achieving similar security outcomes.

If you do not want to wait and you want to fully secure your cloud deployments, call Four Cornerstone at 1 (817) 377 1144 today.

Four Cornerstone provides Oracle consulting in Dallas, helping you get the best in class Oracle products and software that helps you get on and take advantage of the cloud.

Photo by Chris Potter.

Scroll to Top