Extending the security baseline and moving to continuous monitoring of cloud service providers are among the top priorities for the federal cloud program over the next two years, its administrator said. 

“I’m looking out about two years. Where should the program be? I’m in that sustainment period,” Maria Roat, administrator for FedRAMP at the General Services Administration (GSA), said at the Federal Cloud Computing Summit in Washington last week.

Currently, FedRAMP only approves cloud providers at low to moderate security impact levels. With growing interest from defense and security agencies, Roat said GSA plans to expand the program for agencies with more sensitive data needs. Nearly 90 percent of systems that would require high baselines are within the Departments of Defense and Homeland Security, according to a GSA report.

“What I really couldn’t get from the agencies a year ago was, ‘what is the need for a high baseline in the cloud?’” Roat said. “I think now the time is really right to dig into the high baseline.”

As for the program’s second major long-term priority, Roat said FedRAMP needs to begin more continuous monitoring of the private firms providing cloud services. Specifically, she has asked her team to determine a maturity level for cloud providers at which GSA would no longer have to do extensive three-part annual checks.

“At what point can we transition off and not have to do annual testing?” she said.

Roat said both of these matters were discussed at the monthly meeting of FedRAMP’s authorizing board Wednesday afternoon before her presentation at the summit.

In addition to outlining the two-year-old program’s future, Roat addressed a recent concern that has been brought up by providers who have foreign data centers. Previous reports have stated that FedRAMP excludes any data centers that are not located within the United States, which severely limits the ability for federal assets to use the cloud at overseas posts. However, Roat said the decision to use a foreign data center run by a FedRAMP-approved company is at the discretion of the agency.

“That’s really not my call,” she said, noting that companies must document their data center locations during the approval process and that they then become subject to the requirements of individual agency contracts.