The new members of the Federal Secure Cloud Advisory Committee (FSCAC) held their first meeting last week, centered around the Office of Management and Budget’s (OMB) request for the committee to address specific challenges and opportunities related to the Federal Risk and Authorization Management Program (FedRAMP).
Ahead of the May 25 meeting, OMB asked the FSCAC members to provide meaningful feedback on improving FedRAMP’s effectiveness at ensuring agile and secure use of the commercial cloud by the Federal government.
The General Services Administration (GSA), in consultation with OMB, announced the inaugural members of the FSCAC earlier this month.
The FSCAC was created by legislation approved late last year that codified the FedRAMP into law. The 11-year-old FedRAMP program is operated by GSA to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.
The FSCAC will advise and provide recommendations to the GSA administrator, the FedRAMP Board, and Federal agencies to ensure effective and ongoing coordination in acquisition and adoption of cloud computing products and services.
During the meeting last week, OMB sought input to expand opportunities and address challenges surrounding the FedRAMP program in six specific areas: governance and authorizations; scope and applicability; reciprocity and flexibility in compliance regimes; automation; continuous monitoring; and permitting third party-led authorizations.
Governance and Authorizations
The FedRAMP Authorization Act established a FedRAMP Board that includes representatives from the Departments of Homeland Security (DHS) and Defense (DOD), GSA, and up to four additional members. OMB is looking at expanding the board to enhance agency representation and better integrate the program with the Federal community.
The board’s functions include reviewing authorization packages, conducting continuous monitoring, and reviewing FedRAMP procedure documents, among many other activities.
OMB said it is considering adjustments to the FedRAMP authorization model, and the FedRAMP program is expected to consider feedback from industry and agencies on where improvements can be made.
To assist the program in those efforts, OMB sought input during FSCAC’s first meeting last week on questions related to scaling the FedRAMP program, cybersecurity risks in the FedRAMP process, and easing the FedRAMP authorization process for small businesses, among several other inquiries.
Scope and Applicability
“FedRAMP is broadly intended – in statute and in its original OMB mandate – to standardize Federal agencies’ approach to using commercial cloud,” OMB said. “However, cloud products (especially SaaS) have become more diverse over time, so it is not always clear within the Federal environment how to consistently and appropriately apply FedRAMP requirements.”
“This uncertainty can result in differing formal or de facto policies across agencies, weakening the government-wide consistency that FedRAMP is intended to promote,” it concluded.
OMB is considering how to determine and define which kinds of cloud-based services should be within the scope of FedRAMP.
Reciprocity and Flexibility in Compliance Regimes
During the meeting, OMB asked that the committee consider the appropriateness and efficacy of accepting security artifacts and assessments based on other widely used security frameworks and compliance regimes – like those from the National Institutes of Standards and Technology (NIST).
FSCAC was intended to discuss industry or alternate security frameworks, if any, the FedRAMP program should consider leveraging to help accelerate and reduce the burden of obtaining a FedRAMP authorization.
“The use of automation throughout the FedRAMP lifecycle is essential to ensuring effective operations for both Federal government and industry partners,” the agency said. “OMB is working with GSA counterparts to consider efforts to automate and streamline all parts of the FedRAMP authorization process.”
OMB and GSA are also collaborating to digitize and streamline additional documentation required of vendors, including small businesses. The agency requested that FSCAC discuss what areas of the current process can benefit most from automation, and what parts of the FedRAMP process should not be automated, among several other prompts.
Agencies are required to conduct continuous monitoring activities on IT systems they use, including cloud services. Currently, cloud service products and services that are authorized by agencies and have FedRAMP authorizations receive little continuous monitoring from the FedRAMP program office, the agency said.
With the focus on new and flexible authorization models for cloud products and services, OMB is seeking input on enabling FedRAMP to take a more direct posture in providing continuous monitoring of FedRAMP authorized offerings that will enable agency authorizing officials to make risk-based decisions.
The new FSCAC committee is comprised of 15 members from the public and private sectors, appointed by the GSA administrator, in consultation with the OMB director. The inaugural members include Ann Lewis of GSA as the committee chair as well as representatives from NIST, CISA, and Google, among others.