FedRAMP 20x: The Evolution of FedRAMP

FedRAMP 20X Takeaways for CSPs

1. Nothing Changes Immediately: If you are already authorized or on the path to authorization, keep up with your obligations including your control maintenance, continuous monitoring and assessments.  They are all still required at this time. If you have a business case for FedRAMP and you do not meet the requirements for phase one of the pilot, follow the rev 5 process, it is the only approved path to FedRAMP.
    
2. Phase 1 Cloud Native SaaS: If you are a low-impact, cloud native SaaS that is simple, enables required features such as single sign-on and secure, as demonstrated through adoption of other frameworks, you may be able to get involved in a pilot program that FedRAMP PMO is going to launch.
    
3. Get Involved in Community Working Groups:  There are four groups launching as listed below:
   1. Rev 5 Continuous Monitoring: Monday, March 31
   2. Automating Assessment: Wednesday, April 2
   3. Applying Existing Frameworks: Tuesday, April 8
   4. Continuous Reporting: Thursday, April 10
       
4. Stay Connected:  Stay up to date with Coalfire’s Articles and the new FedRAMP 20X website.

Beyond the basic takeaways, there is much more to FedRAMP that companies should consider along with the evolution that is underway that will be shaped by the pilot and working groups.

The Business Case: Is FedRAMP Right for You?

FedRAMP has evolved significantly, moving from a nascent program to a more mature and streamlined framework. As highlighted in Coalfire's "The FedRAMP Opportunity: An Executive Guide for Decision-Making," achieving FedRAMP authorization has been considered a significant business decision. It signals a commitment to security and opens doors to a vast federal market. The program's recent improvements, as noted in "FedRAMP Just Got Better and Is Here to Stay," demonstrate its staying power and increasing relevance.  

The recent FedRAMP 20X announcements around the direction of the program centered around reducing the friction of getting authorized, including some of the barriers around “sponsoring” agencies and removing some of the paperwork that it has become known for over the past several years. However, fundamentals of deciding to get into FedRAMP remain the same as moving into any industry such as having a business case and a sales team focused on industry and a go-to-market strategy to ensure your business is aligned with the technical initiatives. 

Agency Relationships and Trust: The Foundation of FedRAMP

At the heart of FedRAMP lies the security of federal data in the cloud. As required by the FedRAMP Authorization Act, agencies retain ultimate responsibility for authorization. Building strong agency relationships, just as you would with any other customer is paramount. This includes:

• Understanding Agency Needs: Each agency has unique requirements and priorities.
• Clear Communication: Open and transparent communication fosters trust.
• Collaborative Approach: Working together to address security concerns.
• Continuous Monitoring: Staying up to date with continuous monitoring/scans and POA&M updates are critical.

With FedRAMP 20X, this becomes even more critical as the FedRAMP PMO is going to act in more of a statutory role to “set standards that enable private innovation to create the solution”.  This means that the agency is your primary customer and the expectation is CSPs are working with agencies as they would any other customer.  Offering your product to an agency, demonstrating compliance through your assessment, which leads to authorization without the duplicative reviews from the FedRAMP PMO.  Building your relationship and trust with your customers (the agencies) should be front and center in your approach to grow your business with the federal government.

Automation: Streamlining FedRAMP and Compliance

Manual compliance management, often relying on spreadsheets, is inefficient and prone to errors and is archaic. As discussed in "Why Are Companies Still Managing Compliance with Spreadsheets?", automation is essential for streamlining compliance and FedRAMP is no exception. In fact, the recent announcement of FedRAMP 20X from the FedRAMP PMO included Phase 1 that is focused on cloud native, low impact, simpler environments that that have adopted existing commercial frameworks that can be used as a pilot to prove out automation as the future of FedRAMP compliance and authorization.

Similarly, "FedRAMP Improvements: Balancing Speed with Security" underscores how automation is key to balancing speed and security.

• Continuous Monitoring: Automating security scans and monitoring ensures real-time visibility into control status.
• Faster Package Reviews: Automating compliance enhances transparency and accountability leading to faster authorization.

FedRAMP 20X expands beyond the Federal Secure Cloud Advisory Committee (FSCAC) roadmap with a much broader vision of automation that focuses on “Key Security Indicators” that cloud service providers can demonstrate through automation and dashboards.  As discussed in the article “Compliance Needs its Own Digital Transformation”, the way we manage compliance is outdated and the digital transformation that is desired by the federal government needs to come to compliance to streamline authorization and adoption.  

Management Controls and Existing Frameworks: Building on Established Standards

FedRAMP controls share similarities with other compliance frameworks. This commonality should allow CSPs to leverage existing compliance efforts and frameworks to streamline FedRAMP authorization. As discussed in "Improving Compliance Management with Mappings and Automation," aligning with existing frameworks can enhance value and efficiency across your compliance program.

For years, Coalfire has been fine tuning our approach to harmonize frameworks because of the obvious overlap that exists between frameworks, including FedRAMP, that are duplicative and wasteful for companies to consider them individually. The exponential growth of frameworks by industry and country has created a lot of duplication of effort.

With FedRAMP 20X, FedRAMP is keen on leveraging this concept and it should be reciprocal in which anything companies are building for FedRAMP, as a more technical demanding program, should be applied back to the other frameworks to allow companies to continue to find ways to become more efficient and reuse control validation approaches that are built for FedRAMP.  

Reporting Continuously on Control Status: Maintaining Transparency

With all the underpinnings of automation and existing framework reusability, CSPs should be able to get away from annual reporting requirements to maintain authorizations and focus on a more continuous authorization approach.  

Continuous reporting on control status is vital for maintaining transparency and demonstrating ongoing compliance. This involves being able to present information through trust centers or similar ways to share compliance status including:

• Real-time Dashboards: Providing agencies with access to up-to-date security information of technical controls.
• Automated Alerts: Notifying agencies of potential security incidents or compliance issues.
• Existing Framework Reporting: Sharing existing audits and certifications that cover management controls.

This could lead to a future that FedRAMP no longer requires a separate, independent assessment from a third-party assessment organization (3PAO) because agencies can rely on a continuous authorization approach.

Conclusion

FedRAMP authorization has historically been a significant undertaking but the rewards were substantial due to agency cloud adoption. FedRAMP 20X expects CSPs to build strong agency relationships, embrace automation, and leverage existing frameworks to navigate the FedRAMP landscape more efficiently. 

At this time, FedRAMP 20X is a vision and concept.  The expectation from the public briefing provided by Pete Waterman, FedRAMP Director, is that the Community Working Groups will help shape FedRAMP's future by bringing the innovation of the CSPs to inform standards that the FedRAMP PMO can then document, release for public comment, and implement to drive the vision into a reality.