The first part of the overhaul of the Federal Authorization and Risk Management Program is out, but it’s not the document you’re expecting.
In lieu of the Office of Management and Budget’s revised guidance, the Office of Program Management released a new roadmap for the cloud security program that outlines 4 primary goals, 6 initiatives, and 28 short-term priorities.
OMB’s updated guidance remains a work in progress after releasing a draft memo in October and accepting comments through Dec. 22. OMB received more than 285 comments.
“Today, what federal agencies need from FedRAMP is not just the computing infrastructure, but everything that builds on it. Modern enterprises today operate on a kaleidoscope of cloud-based applications, large and small. It is critical that FedRAMP is well-positioned to ensure that federal agencies take full advantage of these software-as-a-service (SaaS) cloud offerings,” the PMO wrote in a blog post today. “While SaaS applications are used in government, and FedRAMP has some in its marketplace, it’s not nearly enough and it’s not working as well as it should. We know that many companies, especially software-focused companies, take too much time and money to get FedRAMP authorization. We are particularly aware that we need to scale and automate our own processes beyond where they are now if we are to meaningfully expand the FedRAMP market.”
FedRAMP’s program office has spent much of the past decade, since OMB launched the initiative in 2011, trying to address criticism and frustration about how long it takes and how much it costs to obtain approvals and certifications.
The new plan puts these issues, as well as several others, including reciprocity, front and center through a series of pilot projects that FedRAMP will undertake over the next 18 months.
One such proof of concept will focus on enabling agile software delivery by piloting a replacement “significant change request” process that doesn’t block after pre-approval.
Another would focus on how FedRAMP could better support machine-readable “digital authorization packets” through automation using the Open Security Controls Assessment Language (OSCAL), something the program has been talking about for four years. The plan says FedRAMP will pilot OSCAL with commercial cloud providers and partner agencies.
FedRAMP says, “pilot partners should see reduced PMO review of their packages based on their mature processes.”
DISA, CISA pilots on tap
The other two pilots are focused on cooperation with the Department of Defense and the Department of Homeland Security.
FedRAMP says it wants to test how it can implement a low-screening process with trusted authorization partners like the Defense Information Systems Agency.
“We will work with trusted authorization partners to align our processes and eliminate the need for extensive package review by the program,” the PMO wrote.
Another pilot is a combination of new technology and a shift towards continuous monitoring. FedRAMP says it wants to migrate to a new technology platform and pilot user workflows within that technology. In addition, it wants to test the sharing of threat information between the FedRAMP platform and the Cybersecurity and Infrastructure Security Agency’s Continuous Diagnostics and Mitigation (CDM) dashboard.
“We will also work closely with CISA to develop and implement the best protections for and minimize risk to the federal enterprise. By combining this with more public documentation and examples of how cloud providers are meeting FedRAMP’s security goals, we can also streamline the overall authorization process,” the PMO wrote. “There are other things we’re working on as well, such as exploring reciprocity with external frameworks and partnering with our colleagues at CISA to scale secure configuration guides and threat sharing.”
Hiring a new FedRAMP director
Mike Hettinger, a former House staff member and now president of the Hettinger Strategy Group, said while he was pleased to see the plan, many of the initiatives are variations on what has been tried in the past.
“I’m also glad to see an attempt to address some of the longer-standing issues that previously plagued the program. One issue that stands out to me in this regard is the proposed change management pilot. The question of what triggers a ‘significant change request’ has been a thorn in the side of many cloud providers over the past few years, and any real effort to address it is a welcome change,” Hettinger wrote in an email to the Federal News Network. “I continue to believe that we need to build more efficiencies into the authorization process, including increasing overall capacity and adding automation to speed up the process and reduce costs for CSPs. At the end of the day, we need to find a way to bring more FedRAMP-authorized products to the federal market, so we hope these changes will help.”
The announcement of the plan comes after Brian Conrad, FedRAMP’s acting director for the past three-plus years, stepped down earlier this month.
The General Services Administration said it will hold two information sessions on April 1 and April 3 about the opening of the new FedRAMP director role.
GSA will also hold an informational meeting on the new road plan on April 11 to answer questions.
“We hope to see numerous results of our efforts over time. We expect our service providers to be able to implement changes more efficiently, and our agency partners to see more features faster — including security features. We expect to stabilize our review ‘backlog’ and keep it stable over the long term. We expect cloud providers, agencies and third-party evaluators to better understand our security requirements, which will lead to higher quality packages and ultimately greater confidence in the FedRAMP program,” the PMO wrote. “Most importantly, we want to understand early on what’s working and what’s not so we can adjust our work and priorities on the fly. That’s why we plan to pilot projects and deliver minimum viable products (MVPs) early wherever we can, and why we’ll be checking in with customers throughout the process.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.