Rapid cloud innovation unleashes new capabilities that can sharpen the federal government’s competitive edge, reshape service delivery, and shield the country from the threats of the modern world. Unfortunately, the antiquated Authority to Operate (ATO) process impedes agencies’ ability to harness this power at the pace demanded by evolving mission requirements, keeping them captives of compliance.
The inefficiency doesn’t stop with authorization. Once a solution has been cleared for use, federal agencies face the burden of continuous assessment. Today, it is a manual, static and snapshot-based process that sticks out like a sore thumb in the cloud-first era.
The latest draft guidance on modernizing FedRAMP by the Office of Management and Budget makes the urgent need for automation crystal clear. FedRAMP recognizes that it can’t scale to keep up with the authorization demand, pushing for reusability and standardization. The program, which turns 13 next month, has authorized more than 300 services so far and has over a hundred more in the queue, with no sign of slowing down. This number multiplies for agencies that must conduct security assessments for each solution at least once a year and with the slightest tweak of service, use or requirements.
Automation is no longer a luxury. It is a must. The question that looms large is where to start. As daunting of a challenge it might seem, the key to automating authorizations and continuous monitoring already exists. Open Security Controls Assessment Language (OSCAL), a machine-readable language developed by the National Institute of Standards and Technology with significant contributions from the FedRAMP Program Management Office, is the data fabric that makes automation of authorizations, assessments and compliance possible.
In May 2022, a cloud service provider submitted the first OSCAL-formatted system security plan (SSP) – a document the Joint Authorization Board uses to assess the security of a system to determine whether it meets the requirements – successfully testing FedRAMP’s automation capabilities. A few months later, a different company filed the first full ATO package that included all required artifacts in the OSCAL format, securing FedRAMP’s approval. Some service providers have leveraged OSCAL to smoothly transition to FedRAMP Rev5 earlier this year by standardizing the security control definitions in a machine-readable format to conveniently export the data into a Rev5 template and quickly generate the ATO package for assessment.
Broader adoption of OSCAL among cloud service providers would enable the dynamic expansion of the FedRAMP marketplace that the OMB draft memo mandates. A framework for FedRAMP to accept machine-readable security documentation would reduce the administrative burden on all relevant stakeholders, enforce standardization, improve interoperability, and increase the speed of implementing cloud offerings.
FedRAMP has 18 months to develop a system to receive authorizations and continuous monitoring artifacts exclusively through automated, machine-readable means. Change is imminent, and based on the direction the government has taken and the focus on zero trust, we can expect a directive requiring federal agencies to automate their security assessments. Federal IT leaders must start preparing.
Federal CIOs must first convert legacy SSP data to OSCAL, which is a critical but often overlooked step for automation. Without this, it is impossible to proceed to the next step of integrating assessment scans with assessment results. This is where the actual value of automation lies, but it can only be achieved after completing the first step. In a rush to quickly automate the part of the process that delivers value, it might be tempting to skip step one. But it’s a mistake that leads to a quick realization that one cannot be done without the other. Once the compliance process is automated, injecting it into the continuous integration and delivery pipeline is the third step, enabling continuous and repeated compliance execution – another directive outlined in the OMB draft memo.
Fortifying security posture
When a breach happens, manual scans to identify impacted systems are too slow and don’t show the full picture. Every wasted minute gives attackers the opportunity for greater damage. The only way to close that time window is to automate assessments so they can run continuously. CIOs can’t tell what is impacted without an up-to-date inventory list. The risk differs if a vulnerability is in the back end or an internal system versus a customer-facing application. If compliance information is not in digital form, understanding that context is not easy. A digitized ATO package could generate an answer within minutes with just a few queries, enabling CIOs to prioritize response when multiple vulnerabilities are discovered.
Faced with a relentless barrage of threats, federal IT leaders focus on security tools that promise to quickly identify and fix vulnerabilities, seeing compliance as an afterthought and a paper-work nightmare. However, they shouldn’t overlook how digitizing compliance artifacts can bolster security posture.
The road ahead
FedRAMP plays a vital role in ensuring the government can operate and innovate securely, and it faces a busy year of restructuring on the road to efficiency that meets modern demands. Federal agencies should join that ride to become champions of innovation instead of captives of compliance. Automation is the highway to progress on that journey, and OSCAL is its fast-speed lane.