Last year, the Federal Risk and Authorization Management Program moved to streamline how it authorized the cloud service providers that contract with federal agencies. In 2018, it’s looking to fine-tune the guidance that CSPs use to meet the needs of those agencies.
The process includes new guidance adjustments, released last week, on how FedRAMP judges compliance with continuous monitoring rules. CSPs must maintain an appropriate level of “ConMon” for threats and intrusions as part of their cybersecurity risk postures.
“This is kind of a year of refinement for us,” said Ashley Mahan, FedRAMP’s agency evangelist, speaking with FedScoop at a Feb. 1 Government Information Technology Executive Council event.
Overseeing CSPs’ compliance with continuous monitoring has been a big cost driver for FedRAMP. Director Matt Goodrich said in December that the office spends 75 percent of its security budget on it. With the new guidance, FedRAMP is looking to not only streamline those requirements, but also improve compliance.
“We’re helping all of our customers understand FedRAMP, helping them navigate through the program and give them everything they need to successfully issue those authorizations and also for industry to successfully work with agencies in the FedRAMP way,” Mahan told FedScoop.
The new guidance also included updates to cryptographic protocols like Transport Layer Security and identity management standards from the National Institute of Standards and Technology.
“Basically, it was a response to a lot of industry and agency feedback with wanting to provide additional details and guidance about certain requirements,” Mahan said.
Incorporating that feedback is part of FedRAMP’s broader goal in 2018 to open up cloud adoption, including trainings for agency information security systems personnel to help empower them more through the authorization process.
“I think what we really want to do this year, especially from an agency standpoint, we really want to increase the number of agencies using cloud technologies,” Mahan said. “We’ve heard from our customers that the authorization process can be lengthy, and we really want to show them that it doesn’t have to be that way.
“We’re going to show you the best practices and empower you to go through these authorizations in a quick and informative way.”