Brian Conrad, acting director of the General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP), explained at an FCW event today how ongoing improvement efforts are charting a path for the program over the next five to ten years.
FedRAMP functions to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies, and mostly operates through its program management office and a Joint Authorization Board (JAB).
The program is 11 years old and since inception has authorized 276 different cloud products and services, which have been re-used by Federal agencies more than 4,100 times. “The whole value proposition is to authorize once, and use many times,” Conrad said.
Critics of the program often complain that it takes too long, and costs too much, to get services approved.
Speaking at the FCW event today, Conrad explained how ongoing modernization efforts aim to meet some of those concerns, with automation of FedRAMP processes as a central theme.
A major example of the automation push involves FedRAMP’s work with the National Institute of Standards and Technology (NIST) on using the Open Security Controls Assessment Language (OSCAL) to provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results.
The use of OSCAL, Conrad said, allows the FedRAMP program to move away from manual handling of system security plans. “We are looking at leveraging OSCAL to streamline” reviews, he said, while adding that OSCAL will help to identify early in the process submissions featuring “suboptimal quality.”
Further use of OSCAL in the process, along with other improvements, will “set the future of the next five to ten years of the program,” Conrad said.
He also spoke about the utility of FedRAMP’s agency liaison program, through which Federal agencies designate a program expert that receives training from FedRAMP and becomes an expert resource to their agency. “We have found that to be very useful,” he said.
Conrad also discussed FedRAMP’s ongoing work to align with NIST’s SP 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 (Rev5).
According to the program’s Rev5 transition blog, the program is continuing to update FedRAMP baselines and documentation based on public comments, and in the future will release a final baseline documentation update and cloud service provider implementation plan. Conrad advised program watchers to keep an eye out for further updates.
And the program manager recapped the program’s year-old vision for the fiscal year 2022, which includes:
- Continuing to grow the program’s marketplace for services;
- Addressing ways to get more small businesses into the marketplace;
- Working with the Office of Management and Budget (OMB) “to lower barriers to entry” into the program “without lowering the bar”;
- Transforming the program’s internal business processes “to ensure the smooth running of the program”; and
- Working with the Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) Program on a dashboarding function for cloud services.