FedRAMP Improvements: Balancing Speed with Security

With the release of the updated roadmap for the Federal Risk and Authorization Management Program (FedRAMP), the General Services Administration (GSA) held an open forum with cloud service providers (CSPs) and FedRAMP advisors to answer questions about the key actions outlined in the roadmap. Over 900 participants (half of them CSPs) listened as GSA, Office of Management and Budget (OMB), and Cybersecurity and Infrastructure Security Agency (CISA) leaders walked through the need to improve the FedRAMP process. Discussion centered on lowering the barrier of entry to provide more cloud services to the Federal government while enabling more cloud security visibility for agency customers. 

The FedRAMP program requirements can be quite a burden for CSPs who want to do business with the government due to the need to document and show compliance with a vast number of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security controls as well as OMB mandates and CISA directives. 

The closest security framework in terms of sheer number of controls and technical requirements is the Payment Card Industry Data Security Standard (PCI-DSS), but FedRAMP Program Management Office (PMO) adds in additional details in controls and specifies very precise parameters for many of those. In addition, the review process for FedRAMP includes not only an assessment by a qualified Third-Party Assessment Organization (3PAO) and an evaluation by agency customers, but also a meticulous review by the FedRAMP PMO that often takes several months. CSPs have long complained that this process is costly and lengthy, but it’s the only way for federal agencies to understand how a commercial CSP meets the security controls that are required for all agency systems.

Automation for Faster Package Reviews

We were happy to hear during the recent Federal Secure Cloud Advisory Committee (FSCAC) meeting that GSA has fleshed out their ideas around automation as a key component of FedRAMP Program improvements. If done right, automation can not only speed up the review and authorization process, but also provide more insights for agencies. Agencies who quickly understand the security posture of a cloud service against federal requirements will be more inclined to buy that service. 

In the past, GSA had touted the Open Security Controls Assessment Language (OSCAL) language as a solution to the FedRAMP program’s efficiency problems, but some CSPs noted in previous FSCAC meetings that there were significant cost and resource barriers to using OSCAL since there are no tools available to easily convert the existing volumes of documentation required in a FedRAMP authorization package. 

It now sounds like, not only are OSCAL solutions being developed by GSA, but a "FedRAMP technology platform" is also being procured that will serve as a central repository for the documents and artifacts that must be submitted during the authorization process. GSA already maintains a repository for packages, but with a platform, which based on Coalfire’s review of the GSA Request for Proposal has Governance, Risk and Compliance (GRC) platform capabilities, would also provide additional automation in the form of automated completeness checks, automatic inheritance from leveraged packages for connected cloud services, and a potential feed into the metrics that the FedRAMP PMO wants to collect. GSA also indicated they are hiring artificial intelligence and machine learning (AI/ML) experts, presumably to help write rules around these inspections against FedRAMP program requirements. 

GSA indicated that the FedRAMP technology platform will allow for manual entry and upload of information and artifacts (at least initially), but that Application Programming Interfaces (APIs) would be provided for those CSPs who want to automate the submission of the required items. The use of APIs will benefit the larger CSPs who have multiple cloud services to be FedRAMP authorized and have to juggle multiple package submissions, but what remains to be seen is exactly what form those submissions will take. Will it be documentation or data? In a recent post on the GSA website, Eric Mill, Executive Director of Cloud Strategy, indicated that GSA wants to move FedRAMP away from relying on lengthy documents and towards a data-first foundation for automating key pieces of the FedRAMP process. Perhaps GSA is looking to AI experts to generate useful information based on certain evidence and data that is collected. Anything that cuts down on the voluminous paperwork will be welcomed by agencies and CSPs alike.

Although the FedRAMP technology platform is not slated to be deployed until Q1-Q2 2025, part of the roadmap includes a pilot of the OSCAL submission process. For CSPs who wish to participate, GSA will start accepting "digital submissions" in OSCAL format in Q3-Q4, 2024. Coalfire has identified tools for submitting packages on behalf of CSPs who would like to participate in this pilot, with the understanding that not all the kinks have been worked out of the process. Look for more information on this in the future.

Automation for Continuous Monitoring

Receiving a FedRAMP authorization is a great stamp of approval for a CSP’s security program, but it’s only half the battle. CSPs have discovered that the requirements to continuously scan, monitor, and report after they receive their Authority to Operate (ATO) also takes a significant amount of time and resources. While vulnerability and compliance scanning have always used automated tools, the summarizing and reporting of the results and what they mean to the security of the cloud system has largely been a manual process. This is another area where GSA is looking for automation to make the reporting process more efficient.

During the recent FSCAC meeting, Branko Bokan from CISA indicated that Department of Homeland Security (DHS) has been working with GSA, FedRAMP, and other partners for a while on automation and ingestion of data, as well as integration with the Continuous Diagnostics and Mitigation (CDM) Dashboard. Like a Security Information and Event Management (SIEM) dashboard, the CDM Dashboard collects data in an automated fashion and indicates when there are issues. Although Bokan didn’t say whether CISA would develop a new dashboard for FedRAMP, or add CSP data to the existing CDM Dashboard, it will certainly eliminate the manual process of uploading scan reports and inventory spreadsheets every month. This will also reduce the burden on agency compliance teams who have to review the ConMon reports for multiple CSPs every month and provide better visibility into the state of scanning and patching in these cloud systems.

Scaling FedRAMP into the Future

Attacks against Government agencies have only increased over the years, and commercial CSPs hosting or processing Government information must ensure they have sufficient security in place. Having to perform an assessment against the FedRAMP security controls provides assurance to Government agencies that the CSP meets their stringent requirements.   

The roadmap for improving the FedRAMP Program listed a variety of actions, such as providing clearer guidance on several important topics, deploying a knowledge base that targets all roles involved with the system, and leaning on certain "trusted partner" agencies to do more of the heavy lifting when it comes to package reviews.

The FSCAC meeting provided a great window into the future of the plans for the FedRAMP program. While the concepts and roadmap provide an outlook for what to expect, the clear benefits that are also outlined in the roadmap are where the community will be paying close attention. These benefits include: improved customer experience, stronger security and risk management, and reduced time and cost. The end result of accelerating authorization, onboarding new services, as well as less burdensome continuous monitoring will enable FedRAMP to truly scale into the future.