Agency reuse of cloud products authorized by the Federal Risk and Authorization Management Program (FedRAMP) continues to increase, with the program management office (PMO) automating parts of the process in fiscal 2021.
Reuse of security authorization packages is up 85% compared to pre-pandemic levels, and agency demand for cloud products grew 60% in the first half of fiscal 2021 compared to the first half of fiscal 2020.
Increases in reuse and demand coincide with the FedRAMP PMO’s work with the National Institute of Standards and Technology to standardize authorization packages and automate their review with the Open Security Controls Assessment Language (OSCAL).
“NIST recently released OSCAL Version 1, which is the first major release of OSCAL and provides a stable OSCAL platform for wide-scale implementation,” said Brian Conrad, acting FedRAMP director and program manager for cybersecurity at the General Services Administration, during a Carahsoft virtual event Tuesday. “And this release also marks an important milestone for the OSCAL project and for early adopters and implementers of security automation with OSCAL.”
Machine-readable authorization packages will allow cloud service providers (CSPs) to create system security plans faster and validate much of the content before submitting it for government review. Meanwhile, agencies can expedite their reviews, and third-party assessment organizations (3PAOs) can automate planning, execution and reporting of their activities.
The FedRAMP PMO is developing conversion tools that will reduce review times further and hopefully increase OSCAL adoption.
“We’re really excited about the next step in that we’re going to pilot some of these validation tools with users,” Conrad said. “We have cloud service providers and 3PAOs and agencies, for that matter, stepping up — willing to take part in those pilot programs.”
At the same time, the FedRAMP PMO has teamed with the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, and .govCAR to score security controls based on how well they detect and respond to real-world threats. The threat-based authorization approach speeds up the process further by using fewer resources and focusing control implementations on the current threat landscape, Conrad said.
The FedRAMP PMO is currently considering new baselines using the NIST Special Publication 800-53 Rev. 5 security and privacy controls.
Another area the FedRAMP PMO wants to automate is continuous monitoring, having developed a web services application programming interface (API) specification allowing CSPs already using OSCAL to push and pull data to and from a secure repository — eliminating manual processes.
The office also recently released guidance on Incident Communications Procedures; Vulnerability Scanning Requirements for Containers; and updated low, moderate and high baselines for System Services & Acquisition-4 (SA-4) and Incident Response-3 (IR-3) controls.
More guidance is on the way.
“FedRAMP is releasing an Authorization Boundary Guidance for public comment in July,” Conrad said. “This one is really critical; we get a lot of questions from stakeholders on this.”
Rep. Gerry Connolly, D-Va., provided an update Tuesday on his FedRAMP Authorization Act, which would codify the program. Introduced for the third time in a year in January, the bill was the first to pass the House in the 117th Congress and passed unanimously.
The legislation would reduce duplication of security assessments by establishing a “presumption of adequacy” if an agency already authorized a particular cloud product, require agencies to prioritize reusing products, establish a Federal Secure Cloud Advisory Committee, and fund the program at $20 million annually.
“While this has been a long journey, I’m happy to say that, with new leadership in the Senate, we’re working in lockstep with our colleagues over there to try and finally get this bill for a markup in the Senate or attached to this year’s Defense Authorization Act,” Connolly said.