Agencies are increasingly reusing authorized cloud services to help meet new telework demands during the coronavirus pandemic.
The Federal Risk and Authorization Management Program saw a 50% increase in agencies reusing authorized cloud products in fiscal 2020, and agencies have made about 3,000 requests to evaluate cloud security products others are using, known as reusability requests, since March, said Ashley Mahan, director of FedRAMP.
Rather than developing new security capabilities, agencies are taking greater advantage of those that already exist like firewalls, multifactor authentication, fine-grained access control, and network and system monitoring with machine learning built-in.
“We’ve really just seen government and industry working hand in hand together during this time to start using these innovative services but also with a very strong emphasis on security,” Mahan said during CyberTalks, presented by CyberScoop.
Mahan further encouraged agencies that haven’t already done so to go through the initial process of selecting and authorizing cloud services that meet their needs, so they’ll have an industry partner when they begin the process of IT modernization.
FedRAMP understands the authorization process is too long and requires too many resources, which is why the program is working with the National Institute of Standards and Technology to develop a standardized, machine-readable language called the Open Security Controls Assessment Language (OSCAL), Mahan said.
Currently, FedRAMP authorization is mostly manual with different security artifacts needing to be produced, tested and audited. FedRAMP wants to work with industry and agencies to translate those artifacts into OSCAL so that machine learning can be applied for efficiencies during initial authorization, as well as near real-time continuous monitoring of cloud services thereafter.
To that end, FedRAMP is also working on a web services application programming interface schema capable of automating data collection from cloud service providers (CSPs) for near real-time insights into their vulnerability posture, Mahan said.
For departments that are currently assessing their risk tolerance and reusing threat data across multiple agencies, like the State Department, automating FedRAMP would be greatly beneficial.
“If we can get better real-time threat data and integrate that into our compliance processes, it’s going to help us make better risk decisions, better risk tradeoffs between what the customer is asking us to do and what we’re comfortable with from a risk standpoint,” said Brian Merrick, director of cloud programs at the State Department.
The State Department has used FedRAMP to authorize shared platforms more rapidly during the pandemic than it has in the past, Merrick said. That’s because the department needed to leverage the cloud when gathering real-time data on local medical environments to decide which of its 275 overseas posts to close due to COVID-19.
FedRAMP lays the groundwork for a shared environment where CSPs provide baseline infrastructure services that agencies can build on as needed for continuous monitoring, Merrick said. The State Department already placed its ticketing system and configuration management database in the cloud.
“Now we’re able to scan our assets — our networks, our devices, our hardware, our software — and really know the state of that with certainty,” Merrick said. “And that’s an operating picture that’s been a challenge in a federated environment.”
One State Department agency is collecting refugee data in austere environments overseas and needed a FedRAMP-compliant software-as-a-service (SaaS) tool for uploading the information to the cloud as soon as the mobile devices doing the collection hit the internet. That way the data could be shared across agencies for decision-making purposes.
Edge computing devices don’t have to leave the boundary to work with FedRAMP-authorized SaaS, Merrick said.
“We’re starting to see more of that connection between different mission areas, datasets, different agency equities,” Merrick said. “And the cloud is sort of that glue in the middle helping get that data where it needs to be a lot faster.”