Emerging Tech

FedRAMP just automated checking security authorization packages for completeness

Cloud vendors should be able to get their hands on the XML-automated validations next week.

August 3, 2021

(Getty Images)

The General Services Administration plans to release XML-automated validations next week allowing vendors to check their security authorization packages for completeness before submitting them to the Federal Risk and Authorization Management Program.

FedRAMP used Schematron’s rule-based validation for making assertions against XML to automate the process and wants vendors to self-test their packages to ensure all the required data is there, before the program reviews them and decides whether to issue a cloud product an authority to operate (ATO).

More easily hackable legacy systems stay in operation longer when agencies can’t quickly purchase cloud products they need for lack of an ATO, and vendors have long wanted FedRAMP to automate parts of its authorization process.

“I think it’s a great step in automated validation,” said Zach Baldwin, automation lead within the FedRAMP program management office (PMO), during an ACT-IAC event Tuesday. “I want cleaner documentation before I have my review team lay eyes on it.”

The PMO wants vendors to implement the validations that allows them to reinsert new files with more complex checks as FedRAMP improves them, Baldwin said.

FedRAMP is also considering an agile ATO, a critical set of controls vendors can implement quickly while saving lesser ones for later.

The PMO recently partnered with the Department of Homeland Security’s .govCAR to score vendors’ security architectures against cyberthreat heat maps. Updated scores will be released in the near future, but they can be used to create a risk profile as agencies make cloud service purchasing decisions, Baldwin said.

Automation wouldn’t be possible without FedRAMP’s work with the National Institute of Standards and Technology to create the standardized Open Security Controls Assessment Language (OSCAL) for authorization packages. NIST released OSCAL 1.0.0 in early June.

“I’m going after the time it takes to get an authorization and the number of passbacks between my review teams and the [cloud service providers] and [third-party assessors],” Baldwin said.

FedRAMP just automated checking security authorization packages for completeness

More Like This

With 2023 tax season in the rearview, IRS commissioner eyes expansion of AI capabilities

GAO budget request puts premium on modernization efforts

GSA administrator: Generative AI tools will be ‘a giant help’ for government services

Top Stories

State Department encouraging workers to use ChatGPT

Federal CIO calls on Congress to fund Technology Modernization Fund

Congressional panel outlines five guardrails for AI use in House

CMS’s financial office is using LLM pilot to combat loss of institutional knowledge

Top public sector takeaways from Google Cloud Next 2024

Commerce requests information about AI, open data assets, data dissemination

More Scoops

With draft guidance, OMB kickstarts effort to modernize FedRAMP for ‘today’s cloud challenges’

A bill codifying FedRAMP finally makes it to the Senate floor

FedRAMP eyes .govCAR for other authorization applications

Agency reuse of FedRAMP-approved cloud products climbs with automation

GSA making ‘significant’ investments to automate FedRAMP processes

FedRAMP cloud security requirements under revision

FedRAMP agency liaisons and pilots are key to streamlining program, ITIF report says

Latest Podcasts

FedRAMP just automated checking security authorization packages for completeness

AI Week 2024 has Come and Gone

Darryl Peek on Elastic’s role in enhancing public sector search and data analytics with AI and Google collaboration

Danny Werfel on How Automation has Enhanced his Agency’s Operations.

Tech

Defense

Cyber

Acquisition