FedRAMP’s 2 new efforts target long-time vendor frustrations

The final policy guidance for the cloud security program known as FedRAMP is still a few weeks away from coming out, but the General Services Administration continues its aggressive refresh of the 13-year-old effort.

GSA launched two new initiatives to continue to relieve some of the burdens of getting cloud services authorized under the Federal Risk Authorization and Management Program (FedRAMP) that contractors and agencies have long-complained about.

Eric Mill, the executive director of cloud strategy at GSA, said the agile delivery pilot will choose about 20 contractors to test out how to use secure software delivery approaches to accelerate the “significant change request” process, which essentially is an approval gate for cloud providers to add new features or capabilities to a FedRAMP authorized service.

“For a lot of cloud providers, this can go on for a long time and really get in the way of what we know to be secure software deployment and delivery practices, which are agile software delivery practices and the federal government absolutely needs to get the benefits of these companies who we are relying on for them to be able to share as many security improvements and updates as possible, new security tools, new patches, and new technology and new capabilities,” Mill said at the GovForward conference sponsored by Carahsoft. “This is an area where we think we can take a look at the way that FedRAMP has operated to date and refactor the process to be one that is based on continuous assessment. I think that’s a phrase you’re going to hear us use a lot because we think we should be getting both more security and more speed at the same time. When we focus our attention on overseeing the process by which changes are made, rather than repeatedly exercising like a stop and go process on every point in time change that a cloud provider makes.”

The PMO says as part of its plan to limit the scope and potential impact of changes to agencies, the new features CSPs launched as part of this pilot must be opt-in.

The PMO says any changes to the fundamental underlying architecture, or new security control implementations that apply to the entire offering, will be excluded from the pilot.

For the purposes of this pilot, the PMO says agencies must choose to use the new feature and the new feature cannot change the:

• System’s fundamental architecture,
• Types of components used such as databases, operating systems, or containers,
• Tooling used to configure, secure, and scan those components, and
• Customer responsibilities for existing features or services.

The FedRAMP program management office will accept applications from vendors to take part in the pilot through July 26 and then make selections by Aug. 16.

The second new initiative is focused on bringing more automation to the program.

The new technical documentation hub will help CSPs in the development, validation and submission of digital authorization packages, and the developers of governance, risk and compliance (GRC) applications and other tools that produce and consume digital authorization package data.

Mill said one of the goals of FedRAMP more broadly is to reduce the time and costs to industry to get their services authorized.

“We’re still in a universe where we traffic 600-page Word documents and PDFs, which is really not how to run a data oriented organization,” Mill said. “We’ve made, what I think are, very concrete investments in changing that dynamic over time. Some of that is who we have hired and brought on to the program where we have a dedicated Open Security Controls Assessment Language (OSCAL) and data standards lead. We already have more technical expertise and practitioner background in the program now than it has had historically, and we’re going to be increasing that very significantly in the near future. We think that by bolstering our technical capacity, we’re going to be able to move dramatically more effectively, and be a more empathetic and effective partner with the cloud providers and agencies who ultimately have the tools that need to integrate with our program so that we don’t have to have people emailing things around much less emailing things around with passwords and stuff like that.”

The website initially is focused on promoting the use of OSCAL and application programming interfaces (APIs) to share digital authorization packages with the PMO and among agencies.

The PMO says this technical hub site will help make the FedRAMP authorization process more efficient and accessible by:

• Providing faster and more frequent documentation updates
• Expanding the breadth and depth of available technical documentation
• Improving the user experience for stakeholders who are implementing OSCAL-based FedRAMP packages and tools
• Establishing a collaborative workflow that supports community contributions for improvements to the documentation

Mill added this approach isn’t necessarily new because FedRAMP is doing all of this work out on GitHub and open source development already.

VA proved out automation

FedRAMP has long held out for the promise of OSCAL. In May 2022, it received the first security authorization package using the framework. The National Institute of Standards and Technology released version 1.0 of OSCAL in June 2021 and in August 2021, FedRAMP released the first set of validation rules via GitHub.

But both the program and vendors have been slow to catch on.

Amber Pearson, the deputy chief information officer at the Department of Veterans Affairs, said at the event that VA was the first agency to deploy and submit a systems security plan using OSCAL.

“We were able to actually transform our standard 426 page system security plan from a text file to machine readable language. We’re really excited where automation is going to take us to help us speed up how we deploy our authority to operates (ATOs) in our environment,” Pearson said. “OSCAL will be the first step to explore automation during our assessment and authorization process because it allows us to programmatically look at how do we build in key metrics to do automatic control testing. We’re actually exploring that with our partnerships with NIST and others. How do we actually speed up from a 360-day ATO timeline to receive an ATO to maybe an assessment and authorization (A&A) in a day? That’s some of the efforts that we’re looking at and how do we quickly assess the security controls and most importantly, about automation, it comes into play when you think about continuous monitoring and being able to measure your risk in near real time.”

Drew Mykelgard, the federal deputy chief information officer, said he hopes OSCAL becomes common place for any organization building or approving software within the next year.

“At every stage, I hope people are like, OSCAL is saving me from Word flat files, PDFs and it is changing the game from one of the biggest points of friction that we feel. We also know that when like the federal government gets behind a standard, we can really push it forward,” he said. “When we have people like Amber and her team pushing this through their governance, risk and compliance (GRC) platforms to intake OSCAL more effectively, running the tests on it and increasing, we can write all the policy we want, but without people like Amber, it’s doesn’t happen.”

The agile delivery pilot and the automation hub are two of the latest efforts the program management office has released since January.

FedRAMP’s continued modernization march

In June, FedRAMP finalized its emerging technology framework, focusing initially on generative artificial intelligence.

In May, OMB and GSA detailed the new structure of FedRAMP, replacing the joint authorization board with the new FedRAMP Board and creating the technical advisory group.

And two months before that, the FedRAMP PMO outlined 28 near-term initiatives in a new roadmap for the future.

All of this started in October when OMB issued the draft policy update to FedRAMP.

The PMO is still without a permanent director after more than three years.

Mykelgard said GSA is close to hiring a new permanent director of the program management office after receiving more than 400 applications.

GSA’s Mill said these and other upcoming changes are all about making concrete investments to change the dynamic over time. He said speed and security don’t have to be polar opposites.

“If you look at the elements on our roadmap, a very healthy chunk of them are designed to chip away in different ways and different slices of the things that generate that time and cost,” Mill said. “What we really need when commodity services out there exist, which can do core functions by companies and other agencies sometimes, it’s the shared services strategy in another form. We benefit from a security perspective, as federal agencies and the federal government when we’re able to stop doing things ourselves. Now when we’re talking about software, we have different and new and exciting opportunities to start running fewer things that are held together by shoestring apps and use things that are given dedicated maintenance, love and security investment. That, in and of itself, is a huge security boon for the government, which should be able to focus its limited IT and security people on the things that cannot be commoditized, that are just unique and core to their mission. That’s the theory of FedRAMP.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.