Government Cloud Standards

The US Government agencies are subject to a wide variety of computing standards designed to protect sensitive government information.

Government Cloud Standards: A Comprehensive Guide

The US Federal government has three program that are of specific interet to cloud security professionals:

• Common Criteria
• FedRAMP (The Federal Risk and Authorization Management Program)
• FIPS 140-2

Common Criteria

The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification.

Source: Common Criteria

The Common Criteria describes an approach for certifying a technology solution or product by evaluating it against the mandatory security requirements, assigning it an assurance level, and approving the solution’s or product’s operations. Government agencies extensively uses Common Criteria program in evaluating the hardware and software products.

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP®) provides a standardized approach to security authorizations for Cloud Service Offerings.

Source: FedRAMP

As a government-wide program, the FedRAMP provides a standardized approach to security and risk assessment for cloud technologies to encourage adoption of secure cloud services throughout the federal government. In accordance with FISMA, OMB Circular A-130, and FedRAMP policies, the FedRAMP centralizes security requirements for the approval and ongoing cybersecurity of the cloud-based services.

• FISMA: Federal Information Security Modernization Act (FISMA) enforces agencies to protect federal information
• OMB Circular A-130: Office of Management and Budget (OMB) states that when agencies implement FISMA, they must comply to National Institute of Standards and Technology (NIST) standards and guidelines
• FedRAMP Policy: FedRAMP leverages National Institute of Standards and Technology (NIST) standards and guidelines to provide standardized security requirements for cloud services; a conformity assessment program; standardized authorization packages and contract language; and a repository for authorization packages

FedRAMP provides as one-stop certification process for the security of cloud services. allowing vendors to go to a single source for certification that then applies across the US government.

FIPS 140-2

The Federal Information Processing Standard Publication 140-2 (FIPS PUB 140-2) is a U.S. government computer security standard used to approve cryptographic modules.

Source: FIPS 140-2

This Federal Information Processing Standard (140-2) specifies the security requirements to approve cryptographic modules (implementations) for the use of government applications. All goverment agencies and their service providers must make sure all the computer based applications should comply with FIPS 140-2.