The director of Technology Transformation Services wants to automate the security component of cloud service authorizations by the end of fiscal 2020.
The Federal Risk and Authorization Management Program (FedRAMP) process is so manual it’s “painful,” Anil Cheriyan said Friday at a Center for Cybersecurity Policy and Law event. To help fix that, he said, FedRAMP’s Program Management Office (PMO) is working with the National Institute of Standards and Technology to develop a means of automating components of authorization, called the Open Security Controls Assessment Language (OSCAL).
OSCAL is a set of XML, JSON and YAML formats that provide machine-readable representations of control catalogs and baselines, system security plans and assessment plans and results.
Using OSCAL, agencies will be able to expedite reviews of security authorization packages.
“We’re actively working with OSCAL, and by the end of FY 2020 we would like the entire security package to be in OSCAL, automated,” Cheriyan said. “That’s our goal, so when we submit the request the information, the review of that information — all of that will be in OSCAL.”
The PMO plans to increase by about 50% the amount of training sessions for agencies on reusing authorities to operate (ATOs), he said. Reusing another agency’s ATO for a cloud product or service is faster than waiting for an offering to achieve FedRAMP authorization.
And the office has partnered with the Department of Homeland Security to make the .gov Cybersecurity Architecture Review of controls more threat-based.
“It’s early discussions, but that will simplify the complexity around process,” Cheriyan said. “And if you’re reusing certain pieces, you’re really making that very transparent in terms of what are the real threats that we’re seeing out there.”
Another priority for the FedRAMP PMO this fiscal year is establishing agency liaisons, he said.
FedRAMP saw a 50% increase in ATO reuse between fiscal 2018 and 2019, and the Joint Authorization Board completed 59 authorizations last year — compared to 40 the first four years of the program.
“I think the pace is going to have to improve,” Cheriyan said. “And really the speed at which we do these [authorizations] through automation and some of the other activities is going to help.”
Making FedRAMP risk based
Cheriyan’s comments came on the heels of the Center for Cybersecurity Policy and Law releasing three high-level recommendations for improving FedRAMP’s security, scalability and automation.
The compliance regime was designed for legacy information technology environments and is “not as easily adapted” to new architectures, said Ross Nodurft, coauthor of the center’s white paper.
“Because of the way the program is structured the Joint Authorization Board really, right now, can only review about three [cloud service provider] packages per quarter,” said John Banghart, the other author. “That’s not a lot, particularly given the way the landscape is expanding with the amount of companies that are introducing cloud services, cloud products.”
Meanwhile agencies’ processes and timelines for reusing ATOs are inconsistent because resources vary, they prioritize cloud differently, and they trust certain ATOs more than others, he added.
The center’s recommendations are:
- Redefine federal IT risk management including FedRAMP to place continuous, incremental and automated monitoring at the heart of the process.
- Consolidate and standardize the process for risk acceptance across the federal government.
- Enable the federal government to leverage the full scope of emerging innovation in the cloud computing and information technology markets.
Automating FedRAMP involves the adoption of OSCAL, as well as the development of dashboards for real-time monitoring of government cloud platforms — similar to the Continuous Diagnostics and Mitigation cybersecurity system.
In standardizing risk acceptance, the government should identify or create a shared services provider to scale the ATO process — ideally using various agencies’ “ATO-in-a-Day” projects as a guide, according to the white paper. Grouping agencies with similar risk profiles to streamline ATOs was also advised.
The government can encourage innovation by developing standard IT environment configurations and components for automatic deployment across agencies. Creating compliance pathways would allow cloud service providers (CSPs) to update products and services without having to redo the entire authorization process, according to the white paper.
“We don’t want to see FedRAMP reduce security requirements or expect agencies to reduce security requirements,” Banghart said. “What we want is to make sure those security requirements are rational, that they’re streamlined, that they meet everybody’s needs and help get innovative or updated CSP products and services into the government securely and quickly.”
The FedRAMP PMO launched an Ideation Challenge in July seeking input from industry, academia and agencies on improving the program.
More recently, the office provided technical assistance on the bill to codify and improve FedRAMP that the House passed earlier this month.
TTS, an agency within the General Services Administration, is “substantively” in agreement with the center’s report, Cheriyan said.
“There’s a lot of good stuff here,” he said. “There are things that we can add onto what we’re already doing, and there are things that we are already, frankly, doing that are connected to what the report provided.”