The Defense Information Systems Agency is working with the military to identify mission-critical systems and running pilot tests for the additional Federal Risk and Authorization Management Program Level 3 security requirements, Federal News Radio reported Thursday.
Jason Miller writes the tests are conducted to help the Defense Department‘s risk executive function determine the applicability of the new requirements and the acceptable risk in bringing critical applications to the cloud.
“We are looking at the business case of the additional parameters for controlled unclassified information, because we are very conscientious about where our data resides and how it’s protected,” said Kevin Dulany, risk management oversight chief at DoD’s office of the chief information officer.
Miller reports Levels 3 and 4 have at least 20 added security standards, although agencies are also concerned about a potential new baseline for applications rated beyond the moderate level.
According to FedRAMP Director Maria Roat, agencies rated only 12 percent of their systems as having high security requirements, and they are also having difficulty pinpointing those systems.
However, as the June 5 deadline has passed for agencies to use cloud services that comply with the new FedRAMP low-to-moderate standards, agencies continue to adjust to the new requirements.
With the possibility of new standards for high-rated systems and changes to the continuous monitoring process, FedRAMP is also looking at future changes to the federal cloud service marketplace, writes Miller.
“We are thinking through that, as well as taking feedback from the cloud service providers and really getting industry’s take on what should the program look like two years out and how it’s going to morph,” Roat said.