How FedRAMP is evolving to meet the challenges of the cloud computing market
Updates to federal cloud security policy are laying the foundation for a more secure and resilient cloud ecosystem.
Since its inception in 2011, the Federal Risk and Authorization Management Program has been essential in bringing cloud computing infrastructure and security to Federal agencies. Over the past year, the program has undergone a series of governance changes, culminating in the release of FedRAMP modernization guidance from the Office of Management and Budget. These changes aim to ensure that FedRAMP continues to support federal agencies with their cloud service needs amidst emerging technologies, an expanding threat landscape, evolving security policies, and shifts in the commercial cloud marketplace.
While all the changes are significant, the FedRAMP agile delivery pilot, updated appointments to the Secure Cloud Advisory Committee and the appointment of the inaugural FedRAMP Board may have the biggest impacts on both federal agencies and cloud service providers.
Automation and agile delivery
One of the key issues the July FedRAMP guidance addresses is reducing the often slow and burdensome processes that participants – federal agencies and CSPs – commonly face. Central to this guidance is the need for FedRAMP to establish an automated approach for intaking, using, and reusing security assessments and reviews. The goal of this approach is to alleviate the slow implementation and approval process and create a faster environment for applying cloud solutions.
FedRAMP has invested significant effort, in partnership with the National Institute for Standards and Technology, in establishing the Open Security Controls Assessment Language as a foundational element for automating FedRAMP activities. Additionally, FedRAMP is addressing the lengthy and cumbersome "Significant Change Request" process through an agile delivery pilot program, in which select contractors will test secure software delivery approaches, seeks to accelerate reduce the time and effort associated with the 'significant change request' process, enabling CSPs to more easily add new features and capabilities to a FedRAMP-authorized service without requiring advance approval for each change.
Enhancing the technical capabilities of the Project Management Office by launching an updated documentation repository and acquiring tools for automating workflows, document preparation, and validation will strengthen FedRAMP's ability to scale and meet growing demand. These updates, and the improvement of the technical capabilities of the PMO, allow CSPs to more efficiently work with federal agencies to deliver security tools, updates, practices, technologies and capabilities all within a timely manner.
Strengthening public-private partnerships
The new guidance also prioritizes improving collaboration between federal agencies and CSPs. A key change is the authorization for agencies to use cloud services without an identified agency sponsor, a shift from the previous requirement that CSPs secure a government sponsor before engaging with federal agencies. This modification unlocks new opportunities in the federal marketplace, enabling agencies to access emerging technologies that were previously out of reach – now with greater speed and efficiency.
At the heart of the modernization guidance is the commitment to enhancing collaboration between the federal government and industry experts. The exchange of knowledge and expertise, particularly between industry leaders and Federal agencies on the FSCAC, will lead to more informed policies and practices, benefiting the broader cloud landscape. CSPs can now voice their concerns and suggestions through industry representatives on the committee, sharing insights from customer experiences and emerging technologies.
Agencies and industry experts are also encouraged to leverage shared infrastructure, enabling the Federal government to undertake the digital transformation efforts supported by CSPs. As agencies look to work toward creating modern infrastructures, a collaborative approach among public-private partnerships is essential and will lead to impactful outcomes.
Challenges Ahead
FedRAMP announced in an August blog post that the path in which a CSO took for FedRAMP authorization will not figure prominently in their respective marketplace listing. Understanding the intent of moving towards “One FedRMAP Authorization,” and the “Presumption of Adequacy” as spelled out in the FedRAMP statute and the recent OMB FedRAMP policy memo, the common understanding is that a FedRAMP authorization is the same irrespective of authorization path – agency authorizing officials, the legacy Joint Authorization Board and the future state PMO and multi-agency authorizations.
The fact remains that risk acceptance is not the same from authorizing official to authorizing official (even historically in FedRAMP between agency authorizations and legacy JAB authorizations), and the challenge before FedRAMP is working to normalize, as best as possible, the risk associated with each CSO. This could be done by communicating to cloud providers those FedRAMP specific requirements that are sometimes above and beyond risk acceptance of an authorizing official (the delta between a FISMA authority to operate and a FedRAMP authorization), and providing transparency to agencies as to the level of risk accepted for each CSO in the marketplace. It is unlikely that complete normalization of risk acceptance will ever materialize, but leveraging the “one FedRAMP authorization” and the “presumption of adequacy” is a welcome start.
By keeping pace with the technological evolution in front of us, aligning with today’s dynamic cloud landscape, and fostering collaboration efforts, FedRAMP is laying the foundation for a more secure and resilient cloud ecosystem. While not without challenges, the new FedRAMP guidance paves the way for CSPs to support secure cloud modernization.
The guidance will encourage efficiency and streamline the implementation process for the much-needed cloud solutions of today – safely, securely, and promptly.
Brian Conrad is Director of Global Compliance Authorizing Authority Liaison, Zscaler, and former Acting Director, FedRAMP
NEXT STORY: Why human-centered design is the key to better CX