FedRAMP focuses on continuous monitoring redesign

If 2017 was the year the Federal Risk and Authorization Management Program moved to streamline its authorization process, then 2018 will see it change how it approaches its continuous monitoring of cloud computing services sold to the government.

Director Matt Goodrich said Thursday that FedRAMP currently spends 75 percent of its security budget on continuous monitoring, and officials are looking for ways to make the process more efficient in 2018.

“FedRAMP is not a project like other compliance regimes can be. FedRAMP is a program,” he said at the Digital Government Institute’s Cloud Computing Conference. “Once you get the authorization, that’s just the beginning of the work. You have to continuously monitor your system and continuously make sure that system is maintained, and its risk posture is maintained at an adequate level.”

As a result, Goodrich said FedRAMP has been exploring continuous monitoring alternatives and will start producing documentation this month to highlight some of the ways it can free up resources, perhaps redirecting them toward more authorizations.

“We are having some other meeting with vendors as well to talk through ways to automate risk reductions and things like that as well,” he said. “But we believe if we could reimagine the way we did our authorization process and reduce it by 75 percent in time, we think we can use that same smart-brain power to reduce the time and money on continuous monitoring as well.”

Goodrich added that the continuous monitoring redux would likely be phased-in gradually over 2018 to individually address its functions of periodic reporting, change management and incident response.

The move comes after FedRAMP made concerted efforts to trim the time it takes to authorize cloud service providers to contract with the federal government.

The program unveiled its final version of FedRAMP Tailored baseline in September, providing agencies with low-impact Software-as-a-Service systems offered by cloud services providers for more flexible cloud adoption.

The year also saw the rollouts of FedRAMP Ready — a set of pre-authorization criteria for CSPs to evaluate themselves against before applying for an Authority-To-Operate — and FedRAMP Connect, which prioritizes the vendors the programs recognized by its Joint Authorization Board.

Last month, FedRAMP debuted its Agency Authorization Playbook, a guide of best practices for agencies in working with CSPs, and Goodrich said the program was awaiting vendor feedback on its Acquisition Guidance RFI on improving the language of cloud adoption contracts.

“We are basically asking three simple questions: Do you have good examples of FedRAMP contracting that you’ve seen and that you like, do you have bad examples that you think are horrible and also, if you were king for a day and you could write the best contract language, give that to us.”

The RFI closes Dec. 15, but Goodrich said FedRAMP could periodically reintroduce it every six months to a year.