Cloud Exchange 2024: GSA’s Ryan Palmer, CISA’s Chad Poland on new tools to help agencies protect data in the cloud

The General Services Administration’s FedRAMP cloud security program is launching a pilot to allow cloud service providers to quickly introduce security features into their products.

Ryan Palmer, senior technical and strategic advisor for FedRAMP at GSA, said the pilot will launch this summer. The effort is centered on a “nonblocking significant change request process,” Palmer said.

“We’re working on running a pilot where some capabilities and some changes are going to be able to be made with an informed but not an approved step for those agencies,” Palmer said.

Palmer joined Chad Poland, cybersecurity product manager at the Cybersecurity and Infrastructure Security Agency, for a panel during Federal News Network’s Cloud Exchange 2024 to discuss continuing initiatives at GSA and CISA to help agencies secure their cloud presences.

Making FedRAMP more adaptable

Currently, FedRAMP requires cloud service providers have an approved “significant change request” before making major updates to their already authorized cloud services, such as new technologies.

The process has been seen as an impediment, however, to CSPs introducing new features that could help better secure agency data and services.

“I think that pilot can enable some of those capabilities to be offered,” Palmer said. “There’s a crawl, walk, run approach I think we have to do when we look at how we do change management within the program.”

The pilot comes amid broader reforms to the long-running FedRAMP program. The reforms are aimed at addressing the time and cost for CSPs to get approved. The changes are specifically intended to expand the pool of available software as a service offerings for agencies, Palmer said.

GSA released a FedRAMP roadmap earlier this year to help guide the program’s evolution. The Office of Management and Budget is also finalizing a White House draft memo on FedRAMP.

Palmer said GSA is also looking to introduce more automation into the process, including by moving to a common data format for FedRAMP authorization documents.

“Once we get there — and I think we’re going to get there fairly quickly — we can start using that data and combine data to start speeding up the process,” he said.

Automation could help cloud service providers catch errors in their paperwork, for instance, potentially saving time during the FedRAMP review process. Palmer compared it to tax preparation software that alerts users to obvious errors and typos.

“Through automation, I see us providing increased insights to cloud service providers early in the process,” he said.

CISA dives deeper on SCuBA

Meanwhile, CISA continues to work on additional tools and services as well.

For example, its Secure Cloud Business Applications, which offers agencies baseline security configurations for their cloud environments, finalized the Microsoft 365 secure configuration baseline in December. SCuBA is also piloting a draft configuration for Google Workspace products with several agencies.

Poland said the strength of the SCuBA baselines is in their specificity.

“They’re very prescriptive,” he said. “So it tells an end user exactly what setting they need to change, why they should change it via a rationale statement. And then we’ve actually gone a step further and provided mappings to MITRE ATT&CK so that they know, if they turn the setting on, what actual TTP it’s going to prevent.”

The program also offers open source assessment tools that agencies can use to evaluate their security posture for Microsoft 365 and Google Workspace respectively.

Meanwhile, FedRAMP is examining how to incorporate the SCuBA program’s guidance into secure configuration profiles in the first half of fiscal 2025, according to FedRAMP’s roadmap.

Poland said CISA is also considering how to expand its work on secure configurations to other cloud products beyond Microsoft 365 and Google Workspace.

“There are hundreds of other SaaS products out there on the marketplace, and then thousands of other SaaS products out there not on the FedRAMP marketplace,” he said. “How can we scale that and try to see if we can mimic that same type of prescriptive guidance for organizations?”

Ensuring secure government AI adoption

Both CISA and GSA are also playing pivotal roles in the government’s secure use of AI. In March, GSA released a draft emerging technology framework to help prioritize FedRAMP’s approval process for technologies like AI.

FedRAMP finalized the prioritization framework on June 27. Vendors can start submitting generative AI capabilities for priority approvals starting Aug. 31.

Palmer said GSA received more than 200 comments on the draft.

“We’ve tried to incorporate those changes into the final framework,” he said. “Some of the things that we heard were the concerns around the limits that we had in the framework. We tried to adjust those and clarify that those are going to be flexible and really driven by agencies’ needs.”

Many commenters also focused on the framework’s benchmarking process.

“Collectively, people liked the benchmarks,” Palmer said. “But some of the concerns around the benchmarks were, ‘How are they relating to different agency use cases?’ Let’s say there’s a need for an AI large language model to do a translation capability. Is the highest performing large language model also the best one for that translation? There could be large language models that are related to specific industries or particular government areas that may be the highest performing but may not show up on the initial benchmarks. So we are looking at standardized communication around what benchmarks are relevant to the use cases and what those use cases are for particular models that are being offered as part of a cloud service offering.”

CISA’s SCuBA program is also examining the incorporation of AI into the Microsoft 365 and Google Workspace products, Poland said.

“Both of them are add-ons to those base platforms,” he said. “And so once we go to the internal approval process, we’re going to get those into our test environments and see how they affect and change some of those configurations. Do we need to provide additional policies? Does our assessment tool need to adapt to make sure that we’re capturing everything? Can we leverage some information from that in order to make our products better? It’s something we’re already working on.”

Discover more articles and videos now on Federal News Network’s Cloud Exchange 2024 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.