Over the last decade, no federal technology program has been more maligned than the Federal Risk Authorization Management Program (FedRAMP). It embodies the old adage of being the program industry, Congress and agencies alike “love to hate.”
Maybe this is why FedRAMP also embodies the characteristics that many other federal programs should emulate? It’s not afraid of change and enthusiastically looks to improve.
The latest example is the new Agency Liaison Program, which FedRAMP’s program management office launched in late May.
Insight by MFGS, Inc.: In this exclusive Federal News Network survey, cybersecurity experts from the military services and intelligence community offer insights into how their agencies are transforming their approaches to cybersecurity to address the ever-changing threats.
“The Agency Liaison Program is designed to transform the way FedRAMP informs and collaborates with federal agencies. Agencies play an important role in the success of FedRAMP and through this Agency Liaison Program, the PMO will provide support through a ‘train-the-trainer’ model for liaisons to share knowledge and resources about the authorization process to others in their agency,” said Ryan Hoesing, FedRAMP customer success manager, in an email to Federal News Network. “Through this program we are building a community to enhance collaboration and knowledge sharing across the government, with more than 30 agencies participating at this time. Agency security practitioners were selected by their leadership to serve as the FedRAMP Liaison.”
The idea of the liaison program came from the ideation challenge FedRAMP held last summer. It was one of several the program management office is implementing from that crowdsource effort. And the use of the challenge and other actions are part of why FedRAMP, while frustrating to some, retains the respect and admiration from many in the federal community.
“This initiative has garnered support from agency chief information security officer who helped identify personnel and ensures agencies have a FedRAMP expert on staff,” Hoesing said. “One of FedRAMP’s guiding principles is ‘do once, use many,’ and the program is designed to help agencies and industry be more efficient in their cloud adoption efforts. Agencies were looking for more support and resources as they modernized — and the PMO answered the call by establishing this governmentwide community with our agency partners. The Agency Liaison Program also establishes a formal feedback mechanism to enable continuous process improvement as the program rolls out new initiatives.”
Continuous process improvement has been a hallmark of the FedRAMP program. While far from perfect, the cloud security program has evolved over the last decade, adding initiatives such as the FedRAMP Tailored and Accelerated processes.
“FedRAMP is already seeing an impact of implementing ideas and working towards these objectives,” said Ashley Mahan, FedRAMP director, in an email to Federal News Network. “In fiscal 2019, the program authorized 45 new products, and as of June 2020, FedRAMP has already authorized 47 new products. With over a quarter left in the fiscal year, a large cloud product pipeline, increased agency participation and collaboration, the program expects to finish the year strong.”
Mahan said the PMO continues to focus across four strategic areas:
She said FedRAMP decided on these four areas, in part, because of “the ideation challenge and participating in working groups with agencies and industry, in an effort to increase authorization speed and implement process efficiencies to boost agency acceptance and reciprocity of FedRAMP authorizations.”
The Ideation Challenge focused on improving the FedRAMP process and its customer experience.
Zachary Baldwin, the FedRAMP program manager for strategy, innovation, and technology, said the submissions identified a need for a consistent approach to FedRAMP authorizations across agencies, improved communication through a centralized point of contact for the PMO and cloud service providers and a simplified training mechanisms for agency stakeholders through a “train the trainer” model. This last one led to the Agency Liaison program.
“The PMO also identified other program goals, faster authorization timelines through training and more streamlined communication, increased authorizations within agencies and more efficient deployment of resources through a centralized point of contact and opportunities for agencies and bureaus to collaborate and share best practices,” he said.
Since the Ideation Challenge, Mahan said FedRAMP has developed initiatives to add automation to reviewing security documentation. This included a new effort with the National Institute of Standards and Technology and industry on a standardized machine-readable language, called Open Security Control Assessment Language (OSCAL).
She said the goal is to facilitate and incorporate automation into the authorization process.
“FedRAMP templates and security baselines are being developed in OSCAL and draft versions have been released on GitHub for public comment,” Mahan said. “OSCAL will allow cloud service providers (CSPs) to automate security package creation and the streamline package reviews by leveraging automated validation and checks.”
Additionally, the PMO also is redesigning its digital presence to help agencies and industry through the FedRAMP process and create a simplified virtual view into the program.
Mahan said her office created new avenues for stakeholders to interact with the program.
“We held our first-ever Joint Authorization Board (JAB) Interact event, an annual meeting focused on fostering an atmosphere of collaboration between FedRAMP technical representatives (TRs) and CSPs that are in process with or authorized by the JAB,” she said. “We also held our first technical exchange meeting where we convened a small set of interested technical experts to discuss draft guidance surrounding container security. We have more initiatives planned for this year as we seek to enhance our virtual footprint.”
And finally, Mahan said FedRAMP recently released a quick guide for agencies that outlines how to reuse a security package, provided further clarity and updated the JAB prioritization process guide, and released seven lessons learned for small businesses and start-ups that were provided by small businesses and startups.