FedRAMP has some major changes in the works that will benefit both federal agencies and cloud providers. From automated authorization processes to updated requirements and training for third party assessors, FedRAMP is looking to make it easier than ever to align federal agencies looking to transition to a secure cloud environment with cloud providers offering solutions.
At the June 13 ATARC Cloud Summit, Matt Goodrich, director of the General Services Administration’s FedRAMP, detailed some of the changes FedRAMP has coming in the near future. Not least of these, FedRAMP is, like many other government organizations, looking to enhance its services with automation.
FedRAMP has been working with the National Institute for Standards and Technology to begin implementing OSCAL, its automated control language for security authorization. Currently, federal agencies struggle with the fact that security controls are presented in ways that are subjective, open to interpretation, and require manual data entry in order to be used. The existence of multiple regulatory frameworks within a single agency compounds the issue.
That’s why NIST is creating a standardized control language as an objective and machine-readable format for the representation of security controls. This would help speed the process along, create interoperability, better define specifications and enable automation.
“We’ve been partnering with NIST to make sure that they have enough resources to speed that up a bit to make sure we can try and get something out by the end of this fiscal year, at least in a minimally viable way, to begin testing that out,” Goodrich said. “We think that’ll really help agencies transform the way they’re doing their work by making sure they can use whatever tool they want to use, and automate whatever they can in that process to do the authorizations.”
It’s important to Goodrich that agencies be able to use whichever tool they prefer. He said no one wants to open FedRAMP’s System Security Plan, which is just too large to be practical. Goodrich says even he navigates it using the “ctrl-F” search function.
Instead, FedRAMP wants agencies to feel comfortable with the tools they use and secure in the knowledge that the data will be transferable. OSCAL will help accomplish this.
It should also help FedRAMP amplify the effect it’s having on the federal push to secure cloud environments. Last year, Goodrich said FedRAMP’s seven federal employees attended more than 750 meetings, and have helped the government avoid spending more than $170 million per year on cyber. FedRAMP currently covers one-third of the world’s internet traffic with providers, and covers around 5 million assets.
Automation should allow them to expand on those effects.
FedRAMP is also going to be increasing the number of authorized cloud services.
“This is obviously something that everybody wants,” Goodrich said. “The more cloud services you have for agencies, the more options you have, the more things you can move to the cloud. For vendors, the more that are in [the program], the more agencies can use their services.”
And this isn’t just generalized cloud services; Goodrich said FedRAMP currently has 15 tailored authorizations in process. Three have already happened, and there’s a lot of momentum in this area. In tailored authorizations, agencies can partner with vendors and act as an independent auditor.
But if that doesn’t appeal to an agency, FedRAMP is also planning on updating requirements for its 3PAOs (third-party assessment organizations), which it hopes to release later this month.
In particular, it’s looking to bolster the program by adding a hands-on testing exercise for individual assessors. It wants to start seeing accreditations around individual assessments, not just organizations.
“Right now we accredit individual organizations, but don’t really go down to the assessor level,” Goodrich said. “And so what we’re looking to do is enhance the program to ensure that all of our assessors are authorized as well.”
FedRAMP plans to roll this out over the next few months. Meanwhile, FedRAMP just released its new training platform earlier this month, comprised of 300-level courses. Goodrich said FedRAMP wanted to respond to all the demand for more training.
It also just released authorization boundary guidance, which teaches agencies how to be aware of their smaller systems, and how federal data can be affected by the interaction with larger systems.
Add to all of that two new playbooks FedRAMP intends to release later this year, and Goodrich said they’re going to have to make it easier to find documents on the website.