A HIGH Impact Baseline for Clouds

FEDRAMP (FEDeral Risk and Authorization Management Program) offers baselines of 800-53 security controls that have been tailored for cloud environments. But they do not offer a HIGH impact baseline. Presumably, HIGH impact systems will use private clouds that exist inside the authorization boundary of the federal agency that implements them. FEDRAMP requirements do not apply to internal private cloud implementations.

When FEDRAMP tailored the NIST 800-53 control baselines, they started out with the default baselines (controls listed by NIST for LOW and MODERATE baselines). They added a few controls to each baseline and more than a few control enhancements. They also added defined some of the parameters that are normally left for the organization to define and they added some additional guidance for some controls.

Even though FEDRAMP requirements don’t apply to internal private clouds, normal NIST security controls and guidance do. It stands to reason that if clouds need a higher standard for security controls, that principle should apply to internal private clouds as well.

In order to create a HIGH impact baseline of security controls for an internal private cloud, the same methodology can be used. Start out with the default HIGH impact baseline supplied by NIST, then add some controls and control enhancements that are considered to be important. First, any controls and control enhancements that FEDRAMP added to the LOW and MODERATE baselines should also be added to the HIGH impact baseline.

NIST has added an additional matrix of controls that provide assurance related requirements.

“Assurance is the measure of confidence that the security functions, features, practices, procedures, mechanisms, and architecture of organizational information systems accurately mediate/enforce established security policies.”

When additional or higher levels of assurance are needed, this matrix provides guidance for tailoring controls or adding controls to a baseline. It includes suggested assurance related controls for LOW, MODERATE, and HIGH baselines and also offers an ENHANCED level. Including these assurance related controls is another means of extending the HIGH level baseline for clouds.

Security risks in some areas may be heightened by the use of cloud related technology and techniques. Controls that can mitigate issues involved with using virtualization, controls that deal with encryption, and controls related to Operations Security (OPSEC) should be considered as needed.

SEE ALSO:
Cloud Security as an Interconnection
Security Metrics for Clouds
New OPSEC Controls in 800-53 rev4

Comments are closed.