Simplifying processes doesn’t mean losing any rigor. That has been the goal and driving idea for the Federal Risk Authorization Management Program (FedRAMP) over the last five years.
The leadership of the cloud security program management office have heeded that call from industry, agencies and lawmakers alike.
“The things that we’re hearing from our stakeholders is simplicity, increasing automation in the process, growing the federal marketplace and providing more learning opportunities,” said Brian Conrad, the acting director of FedRAMP, in an interview with Federal News Network. “On top of that, we’re in the process of moving from the National Institute of Standards Special Publication 800-53 revision 4 to the revision 5 control catalog. So some of the things that we’re doing is in regards to threat-based scoring. We’re applying that to the controls that are in the 800-53, revision 5 catalog. We’re ensuring that the controls that are in the baselines are value add, that they are helping with the protect, detect and response [cyber activities] in keeping federal information secure.”
FedRAMP issued a white paper in February asking for feedback on the threat-scoring methodology.
“FedRAMP worked with DHS’ Cybersecurity Infrastructure Security Agency .gov Cybersecurity Architecture Review (CISA’s .govCAR). They developed a methodology for scoring each NIST SP 800-53, rev. 4, security control against the National Security Agency’s (NSA)/CSS Technical Cyber Threat Framework v2 (NTCTF),” FedRAMP wrote in a blog post. “Their goal is to enable agencies, cloud service providers (CSPs), and other industry partners to prioritize security controls that are relevant and effective against the current threat environment. This leads to informed, quantitative-based risk management decisions in authorizing information systems for government use.”
Conrad said he hopes agencies and cloud providers will have a better understanding from the threat-based assessment of which controls are best to protect against real-world threats as they appear.
“We’re exploring how this data can be used to produce a risk profile, giving authorizing officials to use quantitative data based on a defensible methodology to make risk decisions,” he said. “We’re not adding controls, just because we think it’s a good idea to add a control. But there’s actually some rigor behind it, and it makes sense in supporting the protection of federal information.”
He added the threat-based methodology also could potentially ease the burden on cloud service providers, third-party assessment organizations and the Joint Authorization Board (JAB) when doing annual assessments.
Strong year in 2020
Along with the threat-based methodology, FedRAMP is working with NIST to apply automation to the program. Through the Open Security Controls Assessment Language (OSCAL), NIST and FedRAMP are hoping by applying the language to certification packages, it can reduce the time and effort to get companies FedRAMP certified.
“We’ve made a lot of progress over the last year with NIST to get OSCAL ready to go. And of course, the partnership with our cloud service providers has been incredibly helpful,” he said. “We have cloud service providers lining up wanting to be a part of pilot programs as are third party assessors who also are looking forward to this too. It’s critical because the implementation of the automation will help reduce the variability in the time and the resources needed to create all these security artifacts.”
Conrad said even with all of these ongoing improvements, FedRAMP had a strong year in 2020.
He said agencies and the JAB authorized 60 new cloud services and reuse of existing CSP authorities to operate grew by 55% last year.
“We know that agencies are soliciting the ability to go evaluate those [ATO] packages, and then we see the ATO letters, from that point, when they request the package to the time we get the ATO letters, there may be certain things going on in the agency that are agency specific, more decision making, an analysis of alternatives, that kind of stuff before they make the decision to go with that particular cloud provider,” Conrad said. “We have seen an uptick in the recipe in the reuse during the pandemic. I think that one of the ways that we can promote reuse is through consistency. From the PMO perspective, our control of the baselines, our policies, our guidance, those are the guardrails of consistency because a CSP that brings multiple offerings through FedRAMP has to understand that the baselines and policy apply uniformly. Same with third party assessors.”
Conrad said the broad goal with many of these initiatives is to ensure that consistency and rigor while continually reducing the burden of FedRAMP.
“I tell this to the cloud service providers that I talk to, and the 3PAOs, that our policies and guidance, they form what I refer to as guardrails on a road. You can’t expect cloud service providers to line up down the center lane because everybody’s a different service model. There’s different technologies, and there’s different size businesses. So having our policy and our guidance being like the guardrails on a road, and the goal is keeping everybody in those guardrails,” he said. “We assess cloud service providers in how they apply those things in a firm, fair and consistent manner, that provides a level of confidence to agencies that the package they’re getting is sound. When we step further into automation, where we have the automated validation and things like that, that’ll help increase the confidence level as well.”