The Federal Risk and Authorization Management Program has issued two requests for comment on proposed changes to its Key Security Indicators and a new standard for secure configurations of cloud service offerings.
The public comment period for both RFCs started on Sept. 10 and will close on Oct. 10.
Table of Contents
Updated & New Key Security Indicators
KSIs outline the security capabilities expected from cloud service providers that intend to achieve and sustain a FedRAMP 20x authorization. The proposed updates to existing Phase One KSIs aim to address ineffective or insufficient ones. The changes also include new KSIs for the FedRAMP Low and Moderate baseline to bridge gaps and incorporate additional controls.
Cloud service providers pursuing Moderate authorization during the Phase Two pilot must showcase advanced maturity in depth and automation.
New Secure Configuration Standard
FedRAMP is also seeking public comment on a recommended secure configuration standard, required by Executive Order 14144, titled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” as amended by EO 14306, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.”
The new standard aims to formalize FedRAMP’s requirements and recommendations, detailing the security configurations federal agencies need to attain before deploying a cloud service. Once finalized, the standard will be applicable to both FedRAMP 20x and FedRAMP Rev5, with the latter proceeding without a beta testing phase.
Related Articles
The U.S. Army’s Communications-Electronics Command Software Engineering Center, or CECOM SEC, and the U.S. Military Academy at West Point have collaborated to evaluate the feasibility of the CECOM SEC-developed mapping between zero trust and the Pentagon’s Risk Management Framework, or RMF. The Army said Thursday the testing sought to collect feedback on the mapping’s application. Zero trust is a modern cybersecurity framework built on the “never trust, always verify” principle. RMF is a systematic structure that authorizes and manages risk in the Department of War’s systems. Helping West Point Enhance Zero Trust Posture According to the Army, the mapping developed
The Federal Acquisition Regulatory Council on Thursday issued new model deviation text for four parts of the FAR as part of the Revolutionary FAR Overhaul, or RFO, initiative. In April, President Donald Trump signed an executive order directing his administration to amend FAR to streamline the federal procurement process and eliminate barriers to doing business with the government. The FAR Council released new text for Part 3 – Improper Business Practices and Personal Conflicts of Interest; Part 17 – Special Contracting Methods; Part 27 – Patents, Data, and Copyrights; and Part 45 – Government Property. These parts are open for
MITRE has released a report highlighting the need for the defense acquisition system, or DAS, to be more warfighter-centric to facilitate the delivery of capabilities that keep pace with the rapidly evolving battlefield conditions. The nonprofit corporation said Friday uniformed engineers and scientists should have sufficient acquisition training and authorities to rapidly innovate and address emerging problems at the tactical edge. Extreme Product Ownership MITRE cited U.S. Special Operations Command’s adoption of “Extreme Product Ownership,” an agile approach that focuses on users and value to reduce risks to development and combat operations. In the report, MITRE mentioned the 160 Special