Federal agency launches cloud computing standards

Mary Stevens | | Health Exec | Precision Medicine
The Federal CIO Council has launched a governmentwide risk and authorization management program for cloud computing.

An interagency team, comprised of the National Institute of Standards and Technology (NIST), General Services Administration (GSA), the CIO Council and working bodies has been developing cloud computing standards for use across federal agencies. The team evaluated security controls and multiple assessment and authorization models, wrote U.S. CIO Vivek Kundra, in a Nov. 2 draft report released by the CIO Council.

The document describes a governmentwide Federal Risk and Authorization Management Program (FedRAMP) to provide joint security assessment, authorizations and continuous monitoring of cloud computing services for all federal agencies to leverage.

The FedRAMP will provide a unified risk management process for cloud computing systems and will work in an open and transparent manner with federal agencies and private industry, according to the document, which is organized into three chapters:

1. Cloud Computing Security Requirement Baseline
This chapter presents a list of baseline security controls for low and moderate impact Cloud systems. NIST Special Publication 800-53R3 provided the foundation for the development of these security controls.

2. Continuous Monitoring
This chapter describes the process under which authorized cloud computing systems will be monitored. This section defines continuous monitoring deliverables, reporting frequency and responsibility for cloud service provider compliance with the Federal Information Security Management Act (FISMA).

3. Potential Assessment & Authorization Approach
This proposed operational approach reflects on all aspects of an authorization (including sponsorship, leveraging, maintenance and continuous monitoring), a joint authorization process, and roles and responsibilities for federal agencies and cloud service providers in accordance with the Risk Management Framework detailed in NIST Special Publication 800-37R1.

The complete document is available here.

Comments can be submitted using the FedRAMP online comment form available here on Dec. 2. Comments can be made anonymously or by providing contact information, if attribution or followup is requested. At the conclusion of the comment period, a team of representatives from across the government will review the comments for inclusion in the final documents, according to the CIO Council.

Mary Stevens

Related Content

Pitching the business case for 3D printing labs in radiology
FDA issues first-ever clearance for OTC oximeter
Augmented reality company secures $15M in funding from Cleveland Clinic, Mayo, GE Healthcare and more
Merck to acquire Prometheus Biosciences for $10.8B
Johnson & Johnson scraps RSV vaccine after trial
Intermountain Health launches new biotech company

Around the web

Cardiovascular Business
Payment cuts and beyond: Key takeaways for cardiologists from the 2025 Medicare Physician Fee Schedule

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

AI in Healthcare
A modest proposal to rally AI regulators around a simple game plan

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

Cardiovascular Business
FDA commissioner urges clinicians to join fight against medical misinformation

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Design by Adaptive Theme
Trimed Popup
Trimed Popup