The FedRAMP PMO released the draft FedRAMP High controls for public
comment. Since most of the SSG crowd is federal, and at some point we're
likely to create a FedRamp High profile within SSG, wanted to make sure
everyone was able to review these before they became policy. Happy to
include SSG community feedback in Red Hat's formal response back to GSA
(for those not providing feedback through their own companies/sponsors)!
Shawn
------------------------------------------------------------------------
*From: *"info fedramp" <info(a)FEDRAMP.GOV>
*To: *FEDRAMP-COMMERCIAL(a)LISTSERV.GSA.GOV
*Sent: *Tuesday, January 27, 2015 5:09:58 PM
*Subject: *[FEDRAMP-COMMERCIAL] Request for Comment: FedRAMP High Baseline
The FedRAMP PMO is releasing a draft high impact baseline for public
comment.
The draft baseline is at the High/High/High categorization level for
confidentiality, integrity, and availability in accordance with FIPS
199. This baseline is mapped to the security controls from the NIST SP
800-53, Rev. 4 catalog of security controls.
FedRAMP worked with key government stakeholders to develop the baseline.
As a part of the creation of this baseline, justifications for each
control selected was provided.
This baseline is being released for 45 days to our industry and agency
stakeholders. The public comment period will end 3/13/2015.
Attached is a spreadsheet detailing the security controls. This
spreadsheet includes the full list of NIST controls. Notes about the
columns within the spreadsheet:
* Column E is the control description provided by NIST. This
description is not being put to public comment but is provided for
context.
* Column J identifies the controls selected for the FedRAMP high baseline
* Column K identifies the justification for the selection of that
control. Any control that is a part of the FedRAMP moderate baseline
or NIST high baseline is a mandatory control and comments are not
requested on these controls as they will automatically be a part of
the FedRAMP high baseline.
* Please provide comments to the selections in column N titled
"Questions / Comments"
DO NOT EDIT THE STRUCTURE OF THE SPREADSHEET. ANY SPREADSHEET WITH THE
STRUCTURE EDITED WILL BE DISCARDED.
The FedRAMP PMO will be holding a webinar regarding the release of this
baseline and to address any questions or concerns regarding this
tomorrow, Wednesday January 28, 2015. To register for this webinar,
please go here
<
https://attendee.gotowebinar.com/register/8195985436656456193> .
All comments should be provided to info(a)FedRAMP.gov with the subject
title "FedRAMP High Baseline Comments."
Once comments are received, FedRAMP will convene government stakeholder
to review and address all comments received. The baseline will then be
released for a second round of public comments to provide adjudications
of the comments received prior to finalization. The second round of
public comments is expected in Summer 2015.
Thanks you.
Sincerely,
FedRAMP PMO
------------------------------------------------------------------------