GSA Has a New Plan for Cloud Providers Navigating Changing Security Standards

[InfoSec News <alerts () infosecnews org>]

http://www.nextgov.com/cybersecurity/2014/04/gsa-has-new-plan-cloud-providers-navigating-changing-security-standards/83014/

By Frank Konkel
Nextgov.com
April 22, 2014

The General Services Administration released a transition plan on Tuesday 
that provides guidance to cloud computing service providers that will have 
to adhere to new baseline security standards slated for release in June.

The transition plan will govern how CSPs adhere to upcoming changes to the 
Federal Risk and Authorization Management Program, or FedRAMP, based on 
the fourth revision of the National Institute of Standards and 
Technology’s Special Publication 800-53.

The plan provides specific guidance to CSPs at varying stages.

CSPs in the early “initiation” phase will have to implement new baseline 
standards and test SP 800-53 Rev. 4 controls before receiving 
authorization. Those in the FedRAMP pipeline before June 1 will be 
assessed against current FedRAMP baseline standards – based on NIST’s SP 
800-53 Rev. 3 – but will have one year from the authorization date to 
implement the new baseline, submit new documents using updated templates 
and test their controls against new Rev. 4 controls.

Similarly, CSPs with FedRAMP-accredited solutions with an annual 
continuous monitoring assessment completed prior to June 1 will have “one 
year from the date of their last assessment” to implement the new baseline 
and complete testing. CSPs with an annual assessment scheduled between 
June 1, 2014 and Jan. 1, 2015, must implement the new baseline and 
complete testing in 2015.

[...]

--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/