NIST SP 800-137

Since May 2010 NIST has held periodic workshops and managed working groups to define and advance cloud standards. Leaf said the meetings have served as important “calibrating points on cloud strategy.” NIST’s next cloud computing forum and workshop, its fourth, will be in fall 2011 and will coincide with the publication of a draft, she said.

Meanwhile, GSA will likely promulgate a version of FedRAMP sometime this summer, said Katie Lewin, program manager for Cloud Computing at GSA, adding that the first release will be a “beta version.”

GSA is weeding through more than 1,000 comments on policy, technical and security requirements for cloud computing under FedRAMP, said Lewin. Sixty of the FedRAMP controls received comments on technical feasibility, she said. Overall, GSA plans to reduce controls from initial FedRAMP mock ups.

In preparing for the first iteration of FedRAMP, GSA also wants to minimize agencies’ paperwork burden and emphasize continuous monitoring. Not all controls can be handled by continuous monitoring, said Lewin, but a significant percentage of them can and that would free agencies from formal, quarterly reports. Reducing duplicative FISMA reporting is another goal of the latest revision, said Lewin.

“GSA is trying to make FISMA and FedRAMP more mutually beneficial,” said Lewin. GSA wants to be sure that the two are not battling each other or putting an undue burden on agencies, she added.

FedRAMP aims to allow agencies to use commonly accepted risk assessments and cybersecurity evaluations of low to moderate impact cloud services, avoiding the need to individually certify and accredit solutions.