Embracing the FedRAMP Wave of Change

The Federal Risk and Authorization Management Program (FedRAMP) is a cornerstone of cloud security for the U.S. government. It's the gatekeeper, ensuring cloud service offerings (CSOs) meet stringent security requirements before agencies can leverage their services. And like any evolving program designed to safeguard critical data, FedRAMP is poised for change. While it has been reported that the FedRAMP team which included contractors was over 80 people and is expected to be around 20 in the new program.  The reality is that no one outside the inner circles knows the specifics of upcoming FedRAMP updates. But one thing is certain: change is coming, and adaptation is key. 

FedRAMP: By the Numbers and Beyond

Before we dive into the uncertainty, let's acknowledge FedRAMP's significant impact. Since its inception, FedRAMP has:

• Authorized 379 Cloud Service Offerings, providing a robust marketplace for agencies to leverage.
• Realizing the benefit of the central approach with 2,855 authorizations, over 7x the number of CSOs
• Packages have been reused nearly 10,000 times as additional evidence of the value of the program

Coalfire is proud to be a leader in FedRAMP dating back to the start of the program and supporting CSOs with their journey with our current CSO listings contributing to:

• 114 CSO authorized, including a great mix of IaaS, PaaS and SaaS providers
• 790 unique authorizations
• Over 4,300 times the package was reused 
• Advised over 24 authorized CSOs through their FedRAMP journey including document development and building FedRAMP ready environments

With the numbers in mind, the purpose of the program was intended for the following reason:

• Provide a risk-based program to protect systems and information used for mission critical activities that serve public interest and citizens of the United States.
• Streamline the security assessment process, saving agencies time and resources.
• Established a standardized security framework, promoting consistency and interoperability.
• Drive significant adoption and improvements in cloud security posture across the federal government.

These accomplishments are a testament to FedRAMP's effectiveness in helping the federal government achieve its mission by allowing agencies to adopt modern technology and securing government data in the cloud. 

While the early days of FedRAMP required deliberate and focused attention to ensuring the program was established and experiences to learn from to ensure risks were communicated and managed, any change is sure to leverage the collective experience to date to remove redundancies and streamline the process.

The key takeaway? Embrace the mindset of continuous improvement and be ready to adapt to whatever changes come your way.

Protecting the Mission: Risk and Trust at the Core

The fundamental purpose of FedRAMP is to protect the mission of federal agencies as they modernize and leverage new technologies. This protection hinges on two critical elements: Risk and Trust which are the foundation of the FedRAMP Authorization Act that was passed in December of 2022 as part of the National Defense Authorization Act of Fiscal Year 2023.

7 Ways to Reduce Risk and Enhance Trust 

It is easy with all the noise around us to get caught in the headlines and sensational unofficial announcements and even rumors that spawn from the closed-door updates.  While change is inevitable, not just with FedRAMP but in the fast moving industry of cloud computing and increasing speed of change with AI, considering the basic tenants of the agencies focused on protecting their mission and considering the two key elements of Risk and Trust, CSOs should focus on staying connected to the changes directly from FedRAMP as they make formal announcements and focusing on the fundamentals required to obtain or maintain authorization:

Risk:

• Maintain your Controls: CSOs have developed robust security programs for both commercial and federal use.  In many cases, security for cloud providers is better than most agencies could maintain on their own.  Keep up with your program and ensure you are maintaining your controls
• Continue Continuous Monitoring: Ensure you are keeping up with your monitoring activities and meeting the deadlines and dates for remediation in your Risk Exposure Table and Plan of Action and Milestones.  Agencies still have a responsibility to authorize, and continuous monitoring activities help them quickly understand risk
• Ensure Significant Changes are Documented: Changes to the environments and new services are expected from cloud service providers and CSOs should ensure that they are onboarding these services into their authorized boundaries leveraging the processes and technical controls that have been authorized.  Additionally, onboarding to continuous monitoring and ensuring this is obvious can help accelerate any identification of new risks associated with changes.

Trust:

• Increase Communication with Agencies: Start engaging with your agency counterparts.  Don’t wait for the formal announcements, your counterparts have the same concerns and hesitation with change as you do.  Remember, they are also human and hearing a lot of the same noise.  Establishing a line of communication with your customers is critical when there is so uncertainty.  Just as this blog is intended as an avenue of communication for Coalfire customers, ensuring you know the direction, approach and concerns your customers have with upcoming changes before and after any official announcement can help you adapt quickly.
• Elevate Transparency: Ensuring information with agencies is clear, concise and complete to outline status and risks including with continuous monitoring reporting can help build trust with your agency counterparts.
• Push Forward Automation Investments: Supporting automation can enhance transparency by providing more information in real-time or near real-time with less effort by the CSO to share control status and risk. This is not a new desire, as many of Coalfire’s customers have been on their own journey to automate more of their controls and assessment activities to drive efficiency. The other benefit of automation is that it can enhance transparency and be prepared for new approaches to share information with agencies to demonstrate control effectiveness.
• Enhance Independent Verification: With the evolution of cloud computing, more and more emphasis on building trust has been achieved through independent assessment.  This should be expected to be a core approach to continuing to build trust with customers, including agencies, to demonstrate the effectiveness of the CSOs security programs.  With more automation and more overlap across frameworks, this should become more efficient. Coalfire has seen up to 50% reduction in effort by CSOs by leveraging a combination of workflow and automation tools as well as consolidating assessment partners.  FedRAMP should be no exception as the controls are very similar between NIST 800-53, PCI and HITRUST as well as a tremendous amount of overlap on process and management controls with ISO and SOC. 

By embracing change and focusing on risk and trust, CSOs can navigate the evolving FedRAMP landscape to support agencies desire to achieve their mission.  

Coalfire is here to help you through any changes that may occur with FedRAMP and with your compliance journey. Stay tuned to our blog for updates and perspective as more information becomes available and contact us if you have questions or need additional support.