FedRAMP Modernization- [OMB draft memo]

The Office of Management and Budget (OMB) released a draft memorandum for modernizing the Federal Risk and Authorization Management Program (FedRAMP) program (released October 27th with a 30-day comment period). Now that FedRAMP is law, modernization efforts are underway to scale the FedRAMP program as the digital landscape evolves. Let’s review the core goals of the evolving FedRAMP program.

FedRAMP Responsibilities

·??????? Lead information security program grounded in technical expertise and risk management – “Support Federal agencies and cloud providers on the most impactful security features that protect Federal agencies from the most salient threats, in consultation with industry and security experts across the Federal Government.”

As it states – the FedRAMP program needs to have a security program that is forward leaning and evolving into a more threat-based risk management process to ensure better protection of government assets and end customers.

• Rapidly increase the size of the FedRAMP Marketplace by offering multiple authorization structures – “FedRAMP is expected to create and evolve multiple authorization structures, beyond those described in this document, that provide different incentives and flexibilities to agencies to achieve these goals.”

This could be a significant change to the program with a FedRAMP sponsor-less path. Getting that first FedRAMP initial authorization has been a struggle for years for many cloud service providers (CSPs). Offering an alternate authorization path could be a significant boost for the FedRAMP program and the CSP community.

• Streamlining processes through automation – “Automating the intake and processing of machine-readable security documentation and other relevant artifacts will reduce the burden on program participants and increase the speed of implementing cloud solutions in a timely manner.”

Automation is expected to start with FedRAMP package preparation ?(machine readable format) and evolve into the assessment side over time. Fortreum has been beta-testing compliance automation for 18 months via our XRAMP offering. From a strategic perspective the intent is to normalize audit periods throughout the year, but relevant to automation is the capacity to efficiently test documentation controls via ingestion of OSCAL content or technical configurations via analysis of exported data from SIEM, Configuration Compliance, or Vulnerability Scanning tools. ?

Leverage shared infrastructure between the Federal Government and the Private Sector – “FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated infrastructure for Federal use, whether through its application of Federal security frameworks or other program operations.”??

• Fortreum agrees conceptually that the right logical separation is critical. That said, most of the mid/upper tier CSPs will pursue Department of Defense (DoD) business which ultimately will require separation between a government community cloud and its commercial customer base. Even though FedRAMP and DoD have separate missions, acknowledgement of the business direction should be noted and collaborated upon.

To support different CSP business use cases within the Federal Government, it was noted FedRAMP will support multiple types of FedRAMP Authorizations.

Single agency authorization is “signed by a Federal agency’s authorizing official, that indicates that the agency assessed a cloud service’s security posture and found it acceptable.”?

• FedRAMP agency authorization is the most common authorization path we see in FedRAMP today. If authorized, the package gets reviewed by the FedRAMP Program Management Office (PMO) and is reviewed prior to listing in the FedRAMP Marketplace. ?This path can take several months to review, validate, and place on the FedRAMP Marketplace. ??

Joint agency authorization is “signed by two or more Federal agencies. The FedRAMP Board and FedRAMP Program are encouraged to proactively identify, organize, and support agency cohorts to reduce their effort and expense in conducting joint-agency authorizations.”

• Please note – “all existing Joint Authorization Board (JAB) Provisional Authorities to Operate (P-ATOs) will automatically be designated as Joint Agency FedRAMP authorizations”. What does that mean?? At this time, there is no impact, but in the near future, the FedRAMP JAB will transition into a broader authorization group.

Program Authorization is “signed by FedRAMP Director” and indicates that the program assessed the CSP posture and found it met the FedRAMP requirements. These authorizations are intended to allow the FedRAMP program to enable agencies to use a cloud product or service for which an agency sponsor has not been identified, but for which substantial Federal use could reasonably be expected were it to be authorized.”?

• Many will remember the “CSP Supplied Path” as a FedRAMP Marketplace listing back in the day.? ?The return of this path could be big news for the FedRAMP CSP community. CSPs regularly have questions around strategizing a viable FedRAMP authorization path which often is impacted by a challenging process of identifying an initial authorizing agency.

Any other type of authorization is “designed by the FedRAMP PMO and approved by the FedRAMP Board, to further promote the goals of the FedRAMP program”

• This provides FedRAMP program stakeholders the ability to make additional authorization paths a reality. While the memorandum is not clear on the authorization direction, this allows some program flexibility in crafting alternative authorizations (e.g., Low Impact Software as a Service (LI-SaaS) for lower impact systems).

Other salient memorandum narratives include the following:

·??????? “FedRAMP reviews are not limited to reviewing documentation, and may direct that intensive, expert-led “red team” assessments be conducted on any cloud provider at any point during or following the authorization process.”

• Red Team Exercises - Given the new FedRAMP Rev. 5 requirement around red team exercises (CA-8[2]), we believe this will best be addressed as a precursor to the FedRAMP Initial and/or Annual assessment. Fortreum and other third party assessment organizations (3PAOs) have been working with the FedRAMP PMO to better define the objectives of red team exercises with the hope to see updated penetration testing guidance in the coming months. Of course, the FedRAMP PMO always reserves the right to further investigate a CSP’s security posture in the event of a breach, for example.. Fortreum believes this is intended to reinforce the right to audit, if necessary.

“FedRAMP is encouraged to further explore FedRAMP Ready to help on-ramp additional small or disadvantaged businesses who may provide novel and important capabilities but could face challenges in accessing the Federal Marketplace.”

• There is room for improvement in the FedRAMP Ready process. The overall review process, CSP readiness, and the ability for the FedRAMP PMO to support more capacity has been challenging. ?As a result, Fortreum and other FedRAMP 3PAOs are working with the FedRAMP PMO to streamline the process more.

?A FedRAMP authorization is not an endorsement of a commercial product.” . The FedRAMP program has been put in place to establish a baseline security posture that is validated by independent FedRAMP 3PAOs and has been reviewed as presumptively adequate for use by Federal agencies. As much as CSPs selling into the US Public Sector want more FedRAMP PMO sales/business development help, that isn’t the PMO’s role within the program or ecosystem. CSPs need to keep that in mind as they navigate the capture process. A FedRAMP authorization is a license, not an endorsement. CSPs must be aware of this, and ensure they understand and adhere to the government procurement process.

Automation and Efficiency – we then move into the automation and efficiency section of the memo. “GSA must establish a means of automating FedRAMP security assessments and reviews by December 23, 2023”. ???

• Let’s dive into this further. The General Services Administration (GSA) must establish a ”means of automating security assessments and review by December 23, 2023”. The concept of continuous assessment/monitoring has been around for a long time with limited success from a practitioner viewpoint. ?In 2012, the Federal Government rolled out a program called Continuous Diagnostics and Mitigation (CDM). This risk framework was intended to provide automation, dashboarding, and near real time insights into government systems. ?One thing many liked about the CDM program was the Maturity Model (Phase 1 – Phase 3). This model provided building blocks for managing and supporting risk. This principle needs to be applied to automation, in which capabilities or functions are mapped to FedRAMP program outcomes. ?Making blanket statements about establishing the means of automating FedRAMP is too broad and the timing un-realistic. This automation initiative needs to be grounded in foundational based metrics with measurable gated outcomes vs. blanket statements.?

There are many layers to this conversation, but most simply, a measurable maturity model (depth, breadth and consistency) with gates/milestones are needed. Instead of boiling the ocean, target program automation percentage increases over time versus the entire program.? We’ve worked on many continuous improvement (automation success) and they were all founded in incremental, measurable success.

Possibility of Framework/Accreditation Reciprocity

The memorandum offers the possibility of framework and accreditation reciprocity. This could be well received by existing CSPs. The memorandum text is excerpted below and still leaves plenty of room for interpretation.

“Therefore, FedRAMP will establish standards for accepting external cloud security frameworks and certifications, based on its assessment of relevant risks and the needs of Federal agencies. This will include leveraging external security control assessments and evaluations in lieu of newly performed assessments, as well as designating certifications that can serve as a full FedRAMP authorization, especially for lower-risk products and services. FedRAMP may make risk management decisions regarding acceptable controls for certain situations or types of cloud offerings where there are gaps or misalignments between Federal and external security frameworks, weighing whether broader interoperability with industry security processes, reduced burden on providers, or further streamlining of FedRAMP authorizations and processes may justify acceptance of a given level of security risk.”

• Fortreum and other federal 3PAOs fully support the concept of regulatory re-use and look forward to working with the FedRAMP PMO and FedRAMP Board to capture some reciprocity. Most CSP’s must undergo between 6 – 11 regulatory framework attestations each year and any form of reciprocity will be a welcome change to the program. Rolling out a Common Control Framework (CCF) would optimum to make this work at scale but the ambiguity of controls and interpretations will provide never ending debates as each governing body will have its own interpretations.? We look forward to collaborating on this business challenge. ?Consolidation, scale and re-use are key considerations for scaling your risk management program.

The FedRAMP Board

The FedRAMP Board will consist of up to seven senior officials or experts from agencies that are appointed by OMB in consultation with GSA. The Board must include at least one representative each from GSA, the Department of Homeland Security (DHS), and the DoD, and will include representation from other agencies as determined by OMB.

• From what we can tell – this will be what the FedRAMP JAB evolves into. How this will work in terms of “Joint Agency Authorization” is lacking better definition.? How this will transform the FedRAMP program into a streamlined authorization process is unclear to me.? Adding additional members – up to seven (FedRAMP JAB originally consisted of representatives from GSA, DoD and DHS) will add more opinions and complexity to the process.? Additional information is needed to better understand how this will transform and/or improve the overall program.

Technical Advisory Group (TAG)

OMB will create a Technical Advisory Group (TAG) comprised of Federal employees to provide subject matter expertise to the FedRAMP program. The TAG will comprise up to six technical experts in cloud technologies, privacy and risk management and will advise FedRAMP PMO as the program evolves

?Memorandum Implementation Timelines

The memorandum includes elements of conceptual progress that require feedback from the cloud community. The goals and timelines in the memo are outlined below:

Within 90 days of issuance of this memorandum

“OMB will appoint an initial slate of members of the FedRAMP Board.”

Within 90 days of issuance of this memorandum

“annually upon request, GSA will submit a plan, approved by the GSA Administrator, to OMB, detailing program activities, including staffing plans and budget information, for implementing the requirements in this memorandum.”

Within 180 days of issuance of this memorandum

“each agency must issue or update agency-wide policy that aligns with the requirements of this memorandum. This agency policy must promote the use of cloud computing products and services that meet FedRAMP security requirements and other risk-based performance requirements as determined by OMB, in consultation with GSA and CISA. Within 180 days of issuance of this memorandum, GSA will update FedRAMP’s continuous monitoring processes and associated documentation to reflect the principles in this memorandum.”

Within one year of the issuance of this memorandum

“The FedRAMP Authorization Act requires GSA to establish a means for the automation of security assessments and reviews. “

Within 18 months of the issuance of this memorandum

“GSA will build on this work so as to receive FedRAMP authorization and continuous monitoring artifacts exclusively through automated, machine-readable means.”

Memorandum Key Takeaways

• Joint agency authorization – This doesn’t mean the JAB is going away. As noted in the memo, “Existing JAB P-ATOs at the time of the issuance of this memorandum will be automatically designated as joint agency FedRAMP authorizations signed by two or more Federal agencies. The FedRAMP Board and FedRAMP Program are encouraged to proactively identify, organize, and support agency cohorts to reduce their effort and expense in conducting joint-agency authorizations.”? Implementation of the Joint Agency Authorization will be interesting to track and could have major impacts when executed.? Adding additional members to the existing JAB process could add more complications to streamlining the authorization process.
• ?Program Authorization – This is one of the biggest FedRAMP program changes in this memo. Bringing back the “CSP Supplied Path” which will be welcomed by many prospective CSPs as the current authorization timelines are one of the biggest challenges in the program today. This must be implemented efficiently, as this path could potentially impact the FedRAMP program for several authorizations. One open question is whether the Board will require a FedRAMP Readiness Assessment Report (RAR) prior to undergoing the Program Authorization path.? Only time will tell but being proactive and making sure you’re ready with a gap assessment is important to your success.
• Automation – Automation must be part of the FedRAMP modernization efforts. As noted “Within 18 months, FedRAMP will receive authorization and continuous monitoring artifacts exclusively through automated, machine-readable means.” Increasing workflow automation is a must for the FedRAMP review process to increase efficiency and the capacity to support the volume of CSPs pursuing FedRAMP authorization. Finding a seamless and automated approach may move things ahead faster than previously anticipated.

The initial push to make all documents machine readable for governing body review/agency process is important. ?The current review process is not efficient, as previously noted. Conversations and use cases around OSCAL have been ongoing. In fact, AWS submitted their first System Security Plan (SSP) in OSCAL format in 2022. As the maturity of the documentation and review process improves, there will also be a push to improve FedRAMP 3PAO assessments with compliance automation. For example, Fortreum launched XRAMP last year and looks to leverage its continuous assessment validations to normalize audit and data collection throughout the year. We look forward to partnering with FedRAMP program stakeholders to improve the overall FedRAMP program. ?

For more information, review FedRAMP’s newly published blog post about the OMB memo and industry engagement. You can find the post and signup list here. Stay tuned for the final release and additional insight from Fortreum as the guidance evolves.