The Federal Risk and Authorization Management Program sees an opportunity to apply the .govCAR methodology to eight other aspects of the authorization process beyond informed risk management.
FedRAMP‘s Project Management Office (PMO) recently partnered with the Cybersecurity and Infrastructure Security Agency to adapt its .govCAR method to score cloud service providers’ (CSPs) security architectures based on their ability to detect, respond and protect against real-world threats.
The PMO hopes .govCAR will streamline the security authorization process by shifting it from compliance to risk management, helping vendors enter the market faster, increasing reuse of security authorization packages, identifying security control gaps and duplications, and supplying agency officials with risk data to make informed decisions.
The .govCAR framework is a recently-established methodology for assessing cyber threats that is broken down into three levels of detail: stages, objectives, and actions.
“FedRAMP is exploring how this data can be used to create a risk profile of each security capability in support of authorization decisions,” said Zach Baldwin, program manager for strategy, innovation and technology within the PMO, during the Cloud Security Alliance FedSummit 2021 on Thursday.
The program uses .govCAR to conduct a threat analysis assigning protection values to each security control and ranking them. FedRAMP is currently conducting control assessments deconstructing security controls into control items and plans to release updated risk scoring in an upcoming blog post, Baldwin said.
In the meantime, there are eight other aspects of FedRAMP authorization the program is eying .govCAR for.
FedRAMP wants to incorporate .govGAR into annual assessments to focus on prioritized threat-based controls and use it to assess the programs tailored baseline, simplifying and expediting the process to enter the federal marketplace. Vendors would need only equip systems with the most effective controls to pass muster.
.govCAR could also have a role in the agile authorization process, allowing information systems to go live once a subset of controls are implemented, as well as producing a risk profile using the Open Security Controls Assessment Language (OSCAL). That would enable near-real-time updates of information system risk profiles, allowing for better decision making and ongoing authorization.
The method could also assist authorization decision making with threat-based data, help prioritize remediation efforts, identify agencies’ desired future states, and enhance continuous monitoring of systems.
CSA is incorporating continuous monitoring into its own Security Trust Assurance and Risk (STAR) Certification program, as an alternative to expensive third-party FedRAMP audits. The nonprofit expects to perform a proof of concept later this year or early next though it has a “long way” to go before FedRAMP recognizes STAR Level 3, its continuous auditing certification, John Yeoh, global vice president of research at CSA, told FedScoop.
“What we’re trying to get to is more of a continuous monitoring approach to auditing, and it gets really difficult because how do you have real-time visibility into different environments?” Yeoh said. “So we’re working with cloud providers and third-party vendors on identifying key parameters that you actually can see anytime.”