June 5, 2024

Changes Ahead: FedRAMP’s Roadmap To The Future

BakerHostetler

+ Follow Contact

Send

Embed

BakerHostetler

There were no signs of slowing down as FedRAMP announced its ambitious plan to make significant changes over the next two years.

During a recent public forum, FedRAMP discussed the planned changes to its program to accelerate FedRAMP authorization and ease the way for cloud service providers (CSPs) to work with the government while maintaining security. In particular, this public forum previewed changes to come and the vision driving these changes.

Robin Carnahan, the administrator of the U.S. General Services Administration (GSA), began by explaining that the roadmap is an ambitious living plan. Throughout the forum, each speaker encouraged participants to use the public comment periods to provide feedback and help shape the future of FedRAMP.

As shown in FedRAMP’s roadmap summary below and as discussed during the forum, FedRAMP is in a time of transition.

The Path Forward

FedRAMP’s roadmap summary helps explain planned updates to the program.

FedRAMP’s High-Level Roadmap

FY24 (Q3-Q4)	FY25 (Q1-Q2)	FY25 (Q3-Q4)
● Pilot a new agile significant change process ● Begin publishing a knowledge base of guidance and examples to help navigate FedRAMP ● Bring more technical capacity and expertise into the program ● Release updated guidance on FIPS 140 ● Release updated guidance on integrations with external services ● Implement low-review process with trusted authorizing partners ● Form initial joint authorization groups ● Release approach for centralized continuous monitoring ● Pilot machine-readable “digital authorization packages” with cloud service providers and agencies ● Propose new key performance metrics	● Enhance knowledge base of guidance, training, and examples based on feedback and survey ● Incorporate CISA SCuBA guidance into secure configuration profiles ● Define initial approach for reciprocity between external frameworks and low baseline ● Define core security expectations across FedRAMP authorizations, and a threat-based approach to updating them regularly ● Partner with CISA on red teaming and specialized reviews ● Publish low-review FedRAMP authorization criteria ● Publish initial program authorization criteria ● Migrate to new FedRAMP technology platform ● Pilot user workflows within the FedRAMP platform ● Pilot threat sharing between FedRAMP platform and CISA CDM	● Incorporate secure configuration profiles into FedRAMP marketplace Customer and platform ● Release crosswalk between external frameworks and FedRAMP low baseline ● Release draft Expert Risk Assessment Framework (“red teaming”) ● Move to low-review FedRAMP authorization process for more agencies ● Centralize and automate continuous monitoring ● Establish program authorization path ● Publish new key performance metrics ● DHS CDM Dashboard integration

(Source: https://www.fedramp.gov/assets/resources/documents/FedRAMP-Program-Roadmap-2024-2025-Public-Artifact.pdf)

The public forum speakers addressed two main topics: (1) the authorization process and (2) moving toward automation.

The Authorization Process

FedRAMP plans to update the authorization process. Historically, CSPs could achieve FedRAMP authorization for a service in two ways. The CSP could obtain (1) an Authority to Operate (ATO) from a federal agency or (2) a Provisional Authority to Operate (P-ATO) from FedRAMP’s Joint Authorization Board (JAB). FedRAMP paused the JAB process while it works to review and update its authorization process. As part of these updates, FedRAMP announced the replacement of the JAB with a new board that will serve as the official governing body for FedRAMP.

Moving forward, FedRAMP’s goal is to make obtaining authorization easier for CSPs, including smaller CSPs that have found the process prohibitively complex and expensive. At the same time, FedRAMP is focused on ensuring that CSPs are implementing the security measures needed to protect the information in their care.

One proposed process improvement raised by Ryan Palmer, senior technical and strategic advisor at FedRAMP, is to establish a lighter review track for CSPs that have received authorization from agencies known to have a vigorous review process. Another is to establish reciprocity with other external frameworks such as SOC 2 Type II. If implemented, this reciprocity would allow CSPs to build off existing compliance security frameworks rather than duplicating their work to obtain FedRAMP authorization.

Moving Toward Automation

Many of the planned FedRAMP updates focus on efforts to automate processes. Palmer noted that the current process to obtain and maintain authorization is a manual process that would be better supported through automation and technology-forward operations. FedRAMP, in collaboration with the National Institute of Standards and Technology (NIST), is working to automate the authorization process by developing a common machine-readable language, also known as the Open Security Controls Assessment Language (OSCAL). By adopting OSCAL, FedRAMP anticipates that authorization package deliverables, such as the System Security Plan (SSP), will be created more rapidly and accurately, and in a way that is easier to validate. The use of OSCAL is also meant to help Third Party Assessment Organizations (3PAOs) automate assessments and expedite the authorization package review process for agencies.

FedRAMP has already created a registry on GitHub that is specific to the SSP. FedRAMP also plans to adopt OSCAL for other authorization package deliverables, including the Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plan of Actions and Milestones (POA&Ms). When these are adopted, FedRAMP will update the registry to include the OSCAL extensions for each of these deliverables.

CSPs can currently submit both the paper version of the SSP and the OSCAL version. During the forum, a participant noted that creating both submissions is an onerous task and parts of the current SSP do not cleanly map to OSCAL. OSCAL also asks for more information than what is required in the traditional SSP. As a result, there will not be a clean one-to-one crosswalk. David Waltermire, lead for data strategy and standards at FedRAMP, noted that FedRAMP is also working through these challenges.

Waltermire added that they would like to create a graphical user interface (GUI) for OSCAL to make it easier to complete the authorization package deliverables. The GUI is also intended to make the authorization process more accessible to smaller organizations.

The Future

Overall, FedRAMP will be making many significant changes in the months and years to come. FedRAMP continues to issue requests for public comment on its draft guidance as well as requests for volunteers for its pilot programs. This transitional period is providing a tremendous opportunity to provide input and help shape the future of the program.

Taking Action

CSPs that have or are interested in FedRAMP authorization should understand the changes that have been implemented in the past year and the proposed changes to FedRAMP in the coming months and years. To stay abreast of these changes, CSPs should monitor new FedRAMP developments through the blogs located at https://www.fedramp.gov/blog/.

In preparation for these changes, CSPs should review FedRAMP’s guidance on OSCAL and consider how to convert their SSP into this new format. This will be essential as FedRAMP moves toward automating its processes.

For CSPs that want to take an active role in the changes to the program, consider reviewing and submitting comments on the guidance that FedRAMP is releasing.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.