Evolving cybersecurity threats have vexed public and private sector enterprises for years. Cyber experts have struggled to keep pace with threats posed by bad actors who are constantly seeking new attack vectors. The explosive growth of such attacks has led to a growing consensus that organizations must automate as many of the elements of their cybersecurity, risk management and compliance efforts as they can.
For federal systems hosted in public or private clouds, automation is a growing focus of the Federal Risk and Authorization Management Program (FedRAMP), which provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. One of its stated goals is to “increase automation and near real-time data for continuous monitoring,” which takes on greater significance in light of a recent Office of Management and Budget report that calls for agencies to “continue standardizing their IT offerings and cybersecurity capabilities.”
By promoting a standardized approach to security risk management and compliance in the cloud, FedRAMP should be perfectly positioned to provide consistency and trust for the billions of dollars in cloud computing services the federal government is projected to purchase in the years to come.
But despite these admirable ambitions, FedRAMP is plagued by certain challenges, including a lack of transparency, efficiency and accountability, and the cost and duration of the process. Obtaining a FedRAMP authorization to operate (ATO) can take six to twelve months to complete and cost over $500,000. FedRAMP’s current reporting and documentation processes are also often redundant, requiring that the same information be provided in multiple places and displayed in various ways.
In addition, there is a lack of communication between vendors and agencies in understanding where they are in the process of becoming certified. These issues must be overcome in order to keep FedRAMP itself from being a barrier to cloud adoption.
Let’s be clear — the FedRAMP Program Management Office (PMO) fully recognizes these issues and has attempted to address them. But, as Rep. Gerry Connolly (D-Va.) has noted, “Despite its best efforts, FedRAMP continues to suffer from a lack of agency buy-in.”
FedRAMP Reform: Encouraging collaboration, automation and flexibility
That’s why bi-partisan legislation introduced late in the last Congress by Reps. Connolly and Mark Meadows (R-N.C.) to update and improve the FedRAMP process just might be the “kick in the pants” needed in many federal agencies. While it was not acted on before adjournment in December, the proposed FedRAMP Reform Act of 2018 would have, among other things, promoted greater use of commercial-off-the-shelf (COTS) solutions that have already been developed and proven, promoted greater use of automation by agencies to process FedRAMP applications, and encouraged adoption of reciprocal standards among agencies.
Those of us who work in this field know that there are already COTS solutions that can streamline and provide visibility for agencies, cloud service providers and third-party assessment organizations (3PAOs) into the entire FedRAMP authorization process. Use of proven commercial solutions, as called for by this bill, can go a long way toward achieving the agency buy-in needed through efficiencies and savings, such as:
providing a common platform for all parties to do their work, thus speeding up and providing greater visibility into the process;
allowing enterprises to better customize workflows based on individual organizational needs;
allowing enterprises to establish one database and enter the required information only once, and then map that data to multiple reports;
enabling the previously submitted information to automatically migrate as required documents are updated or replaced;
providing greater means for self-assessment by certified systems professionals and chief security officers before engaging a 3PAO; and
promoting consistent continuous monitoring after ATO is received.
Although it can’t solve every problem, the Connolly-Meadows legislation, which is expected to be reintroduced in the new Congress, would substantially boost the government’s efforts to make FedRAMP more effective. Once it is reintroduced, we hope that the House will move quickly to schedule a hearing and act on this measure to improve the FedRAMP process.
Milica Green is a compliance subject matter expert for Telos Corporation.