From: Fierce Government IT

Federal officials released Jan. 6 security controls that constitute the basis of governmentwide authorization and accreditation of cloud computing systems.

The controls (.zip), part of a program known as FedRAMP, are meant to act as a common federal baseline for low- and moderate- risk cloud services. A Dec. 8, 2011 memo (.pdf) from Federal Chief Information Officer Steven VanRoekel tells agencies to use provisional authorization of public cloud computing services granted via an independent third party using FedRAMP criteria when conducting their own risk assessments.

Provisional authorization granted under the FedRAMP program by a third party doesn’t replace agencies’ need to conduct their own risk assessments, federal officials said during a Dec. 8 press call, but should satisfy the vast majority of local security controls. The FedRAMP program office has yet to release a concept of operations with more details, but plans to within a month, said Homeland Security Department Chief Information Officer Richard Spires in a Jan. 6 blog post. Spires has been active in governmentwide efforts.

Most of the controls have been taken directly from National Institute of Standards and Technology Special Publication 800-53 Rev. 3

Among them is a requirement that passwords constitute at least a 12 character mix of upper and lower case letters, numbers and special characters–although the controls exclude mobile devices from the password complexity requirement.

Cloud computing providers will also have 30 days under the FedRAMP controls to correct high risk vulnerabilities, while the time period for rectifying moderate risk vulnerabilities is 90 days. Providers must also conduct at least quarterly vulnerability scans of operating systems, web applications and databases, the controls say.

For more:
download the FedRAMP security controls from gsa.gov (.zip)
read Spires’ Jan. 6 blog post