The first piece of the Federal Risk Authorization and Management Program’s overhaul is out, but it’s not the document that you are expecting.
Instead of the Office of Management and Budget’s revamped guidance, the program management office released a new roadmap for the cloud security program outlining 4 primary goals, 6 initiatives and 28 near-term priorities.
OMB’s updated guidance remains a work in progress after releasing the draft memo in October and accepting comments through Dec. 22. OMB received more than 285 comments.
“Today, what federal agencies need from FedRAMP is not only computing infrastructure, but everything that’s being built on top of it. Modern enterprises today run on a kaleidoscope of cloud-based applications, large and small. It is critical that FedRAMP be well-positioned to make sure federal agencies get the full benefit of these software-as-a-service (SaaS) cloud offerings,” the PMO wrote in a blog post today. “While SaaS applications are used in government, and FedRAMP does have some in its marketplace, it’s not nearly enough and it’s not working the way that it should. We know that for many companies, especially software-focused companies, it takes too much time and money to get a FedRAMP authorization. And we’re particularly cognizant that we need to scale and automate our own processes beyond where they’re at now if we want to meaningfully grow the FedRAMP marketplace.”
The FedRAMP program office has spent much of the past decade, really ever since OMB launched the initiative in 2011, trying to address the criticisms and frustrations over how much time it takes and the cost to earn approvals and certifications.
The new roadmap puts these issues, and several others including reciprocity, front and center through a series of pilots FedRAMP will undertake over the next 18 months.
One such proof of concept will focus on enabling agile software delivery by piloting a replacement “significant change request” process that does not block on advance approval.
Another would focus on how FedRAMP could better support machine-readable “digital authorization packages” through automation using the Open Security Controls Assessment Language (OSCAL), something the program has been talking about for four years. The roadmap says FedRAMP will piloting OSCAL with commercial cloud providers and agency partners.
FedRAMP says, “pilot partners should see reduced PMO review of their packages based on their mature processes.”
DISA, CISA pilots on tap
Two other pilots are focused on working with the Defense Department and the Homeland Security Department.
FedRAMP says it wants to test out how it could implement a low-review process with trusted authorizing partners such as the Defense Information Systems Agency.
“We will work with trusted authorizing partners to align our processes and eliminate the need for extensive per-package review by the program,” the PMO wrote.
Another pilot is a combination of new technology and the move toward continuous monitoring. FedRAMP says it wants to migrate to a new technology platform and pilot user workflows within that technology. Additionally, it wants to test the sharing of threat information between FedRAMP platform and the Cybersecurity and Infrastructure Security Agency’s continuous diagnostics and mitigation (CDM) dashboard.
“We will also work closely with CISA to develop and deploy the best protections for and minimize the risk to the federal enterprise. By combining this with more public documentation and examples of how cloud providers meet FedRAMP’s security goals, we can also streamline the authorization process overall,” the PMO wrote. “There are other things we’re working on too, like exploring reciprocity with external frameworks, and partnering with our colleagues at CISA on scaling secure configuration guides and threat sharing.”
Hiring a new FedRAMP director
Mike Hettinger, a former House staff member and now president of the Hettinger Strategy Group, said while he was pleased to see the roadmap, many of the initiatives are variations of what has been tried in the past.
“I am also glad to see an attempt to address some of the more longstanding issues that have previously plagued the program. One issue that stands out to me in that respect is the proposed pilot on change management. The issue of what triggers a ‘significant change request’ has been a thorn in the side for a lot of cloud providers over recent years and any real effort to address it represents a welcome change,” Hettinger wrote in an email to Federal News Network. “I continue to believe that we must build greater efficiency into the authorization process, including increasing overall capacity and adding automation to speed up the process and reduce costs for CSPs. At the end of the day, we have to find a way to get more FedRAMP authorized products into the federal marketplace, so hopefully these changes help.”
The release of the roadmap comes on the heels of Brian Conrad, the acting FedRAMP director for the last three-plus years, stepping down earlier this month.
The General Services Administration said it will hold two information sessions on April 1 and April 3 about the opening for the new FedRAMP director role.
GSA also will hold an information session about the new roadmap on April 11 to answer questions.
“We’re hoping to see a number of outcomes from our efforts over time. We expect our industry providers to be able to more effectively deploy changes, and our agency partners to see more features — including security features — faster. We expect to stabilize our review ‘backlog,’ and keep it stabilized over the long term. We expect cloud providers, agencies and third party assessors to have a better understanding of our security requirements, leading to higher quality packages and ultimately greater trust in the FedRAMP program,” the PMO wrote. “Most importantly, we want to understand early what’s working and what’s not so that we can adapt our work and priorities as we go. That’s why we’re planning to initiate pilots and deliver minimum viable products (MVPs) early wherever we can, and why we’ll be checking in with customers throughout the process.”