FedRAMP finally releases high-impact security baseline

After a lengthy process, the General Services Administration's Federal Risk Authorization and Management Program released its high-impact security baseline Thursday. The policy now allows federal agencies to store highly sensitive information on any cloud service provider once it’s given the FedRAMP seal of approval.

Agencies using data centers to store high-impact data can begin to look elsewhere. (Pixabay)

After a lengthy process, the General Services Administration’s Federal Risk Authorization and Management Program released its high-impact security baseline Thursday.

The policy now allows federal agencies to store highly sensitive information on any cloud service provider once it’s been given the FedRAMP seal of approval — provided certain controls are in place.

The baseline, which has been in the works since January 2015, adds 100 security controls on top the program’s moderate impact level. With 421 controls in place, the baseline allows over half of the budget dedicated to federal IT to explore updating their legacy systems by moving to the cloud.


“Around half of IT spend is around protecting the 80 percent of data that is low to moderate” impact levels, FedRAMP Director Matt Goodrich told FedScoop, adding that spend went into the operations and maintenance of legacy systems, including the cost of owning data centers.

“We are now able to break into that other 50 percent of high impact systems so agencies can move that over to the cloud and realize the efficiency of the cloud,” he said.

Three companies — Amazon Web Services, Microsoft and CSRA — have been provisionally approved to carry high-impact data after they participated in the baseline’s pilot program.

“We are pleased to have achieved the FedRAMP High baseline, giving agencies a simplified path to moving their highly sensitive workloads to AWS so they can immediately begin taking advantage of the cloud’s agility and cost savings,” said Teresa Carlson, Amazon Web Services’ worldwide public sector vice president. “By demonstrating the security of the AWS Cloud with the FedRAMP High baseline, agencies can confidently use our services for an even broader set of critical mission applications and innovations.”

“We believe our success in meeting the rigorous security standards and achieving the accreditation demonstrates CSRA’s commitment to providing cloud security for our customers and further strengthens our capabilities in next-generation IT,” said John Keese, CSRA’s director of government cloud services.


Additionally, Microsoft’s Azure Government Cloud has been approved by the Defense Information Systems Agency to carry data at security impact level 4, which covers controlled unclassified information that’s highly sensitive.

“Microsoft has been working with the FedRAMP PMO on the certification process and approach, from the time the program was established all the way through to our receipt of FedRAMP High for Azure Government,” said Susie Adams, CTO of Microsoft Federal, of the FedRAMP news.  “The positive changes announced by the FedRAMP team are a direct result of its collaboration with the federal cloud service provider community, and will streamline and speed this process, helping providers like Microsoft add more services more quickly so that agencies can take full advantage of the cloud and meet ‘Cloud First’ policy objectives.”

The baseline comes as FedRAMP has spent the past few months retooling their outreach and processes between the government and cloud service providers. Earlier this year, FedRAMP moved to a process aimed at drastically reducing the time it takes for cloud service providers to earn an authority to operate and begin selling to federal agencies.

Goodrich told FedScoop that providers will follow the same accreditation process to matter what impact level they are looking to obtain.

“The same thing that we are doing with FedRAMP accelerated will apply to the high-impact systems,” he said. “The only difference is the additional controls. Our providers will have to implement additional controls and have additional maturity in their ability to deliver their services.”


One of the reasons for the delay in releasing the high baseline is the work FedRAMP did with the Defense Department in getting the high baseline to closely match with the Level 4 requirements of the DOD’s cloud security requirements guide.

The initial release was delayed for a few months so that FedRAMP could match its high baseline to the DOD’s Level 4 requirements, as defined in its cloud security requirements guide.

“We spent a certain amount of time with the DISA team to make sure our baseline was as close to their baseline as possible,” Goodrich said. “We added a few controls and changed a few parameters, but the hope is that the Level 4 baseline would align with FedRAMP High” in the next version of DOD’s requirements.

Contact the reporter on this story via email at, or follow him on Twitter at @gregotto. His OTR and PGP info can be found hereSubscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here:

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts