There were no signs of slowing down as FedRAMP announced its ambitious plan to make significant changes over the next two years.
During a recent public forum, FedRAMP discussed the planned changes to its program to accelerate FedRAMP authorization and ease the way for cloud service providers (CSPs) to work with the government while maintaining security. In particular, this public forum previewed changes to come and the vision driving these changes.
Robin Carnahan, the administrator of the U.S. General Services Administration (GSA), began by explaining that the roadmap is an ambitious living plan. Throughout the forum, each speaker encouraged participants to use the public comment periods to provide feedback and help shape the future of FedRAMP.
As shown in FedRAMP’s roadmap summary below and as discussed during the forum, FedRAMP is in a time of transition.
The Path Forward
FedRAMP’s roadmap summary helps explain planned updates to the program.
FedRAMP’s High-Level Roadmap
(Source: https://www.fedramp.gov/assets/resources/documents/FedRAMP-Program-Roadmap-2024-2025-Public-Artifact.pdf)
The public forum speakers addressed two main topics: (1) the authorization process and (2) moving toward automation.
The Authorization Process
FedRAMP plans to update the authorization process. Historically, CSPs could achieve FedRAMP authorization for a service in two ways. The CSP could obtain (1) an Authority to Operate (ATO) from a federal agency or (2) a Provisional Authority to Operate (P-ATO) from FedRAMP’s Joint Authorization Board (JAB). FedRAMP paused the JAB process while it works to review and update its authorization process. As part of these updates, FedRAMP announced the replacement of the JAB with a new board that will serve as the official governing body for FedRAMP.
Moving forward, FedRAMP’s goal is to make obtaining authorization easier for CSPs, including smaller CSPs that have found the process prohibitively complex and expensive. At the same time, FedRAMP is focused on ensuring that CSPs are implementing the security measures needed to protect the information in their care.
One proposed process improvement raised by Ryan Palmer, senior technical and strategic advisor at FedRAMP, is to establish a lighter review track for CSPs that have received authorization from agencies known to have a vigorous review process. Another is to establish reciprocity with other external frameworks such as SOC 2 Type II. If implemented, this reciprocity would allow CSPs to build off existing compliance security frameworks rather than duplicating their work to obtain FedRAMP authorization.
Moving Toward Automation
Many of the planned FedRAMP updates focus on efforts to automate processes. Palmer noted that the current process to obtain and maintain authorization is a manual process that would be better supported through automation and technology-forward operations. FedRAMP, in collaboration with the National Institute of Standards and Technology (NIST), is working to automate the authorization process by developing a common machine-readable language, also known as the Open Security Controls Assessment Language (OSCAL). By adopting OSCAL, FedRAMP anticipates that authorization package deliverables, such as the System Security Plan (SSP), will be created more rapidly and accurately, and in a way that is easier to validate. The use of OSCAL is also meant to help Third Party Assessment Organizations (3PAOs) automate assessments and expedite the authorization package review process for agencies.
FedRAMP has already created a registry on GitHub that is specific to the SSP. FedRAMP also plans to adopt OSCAL for other authorization package deliverables, including the Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plan of Actions and Milestones (POA&Ms). When these are adopted, FedRAMP will update the registry to include the OSCAL extensions for each of these deliverables.
CSPs can currently submit both the paper version of the SSP and the OSCAL version. During the forum, a participant noted that creating both submissions is an onerous task and parts of the current SSP do not cleanly map to OSCAL. OSCAL also asks for more information than what is required in the traditional SSP. As a result, there will not be a clean one-to-one crosswalk. David Waltermire, lead for data strategy and standards at FedRAMP, noted that FedRAMP is also working through these challenges.
Waltermire added that they would like to create a graphical user interface (GUI) for OSCAL to make it easier to complete the authorization package deliverables. The GUI is also intended to make the authorization process more accessible to smaller organizations.
The Future
Overall, FedRAMP will be making many significant changes in the months and years to come. FedRAMP continues to issue requests for public comment on its draft guidance as well as requests for volunteers for its pilot programs. This transitional period is providing a tremendous opportunity to provide input and help shape the future of the program.
Taking Action
CSPs that have or are interested in FedRAMP authorization should understand the changes that have been implemented in the past year and the proposed changes to FedRAMP in the coming months and years. To stay abreast of these changes, CSPs should monitor new FedRAMP developments through the blogs located at https://www.fedramp.gov/blog/.
In preparation for these changes, CSPs should review FedRAMP’s guidance on OSCAL and consider how to convert their SSP into this new format. This will be essential as FedRAMP moves toward automating its processes.
For CSPs that want to take an active role in the changes to the program, consider reviewing and submitting comments on the guidance that FedRAMP is releasing.
[View source.]