The Office of Management and Budget (OMB) has unveiled sweeping new guidance to revamp the Federal Risk and Authorization Management Program, in a move that has widespread implications for how federal agencies adopt and secure cloud services. This modernization effort comes almost 13 years after the first cloud security memo, which targeted dealing with challenges long overdue and aimed at setting the pace toward an automated, efficient, and secure cloud environment. Here are the key takeaways from the new FedRAMP policy and what it could mean for federal cloud security.
A Shift from IaaS to SaaS
The new FedRAMP policy acknowledges the evolution in cloud service preferences among federal agencies. When the first FedRAMP memo was released in 2011, agencies were mostly putting their money into Infrastructure-as-a-Service (IaaS) solutions. The trend at the moment very much sees a move towards Software-as-a-Service (SaaS) solutions. Speaking to Federal News Network, Drew Myklegard, Deputy Federal Chief Information Officer of OMB, emphasized how his organization is responding to this shift by looking to standardize processes and make things more transparent for Cloud Service Providers (CSPs).
“What we learned through that process of public comment, and in those last nine months of building out this program is that we really needed to focus on a couple of areas. One of them was automation,” said Myklegard.
Automation and Efficiency
A central theme of the updated FedRAMP policy is automation. The OMB aims to reduce the duplicative work that has historically bogged down the authorization process. Machine-readable data will automatically put the security assessment into the system, thus fast-tracking the implementation of cloud solutions.
“It is essential that FedRAMP establish an automated process for the intake, use, and reuse of security assessments and reviews,” the memo states. This move towards automation is expected to not only speed up the authorization process but also ensure that CSPs can deliver secure cloud services more efficiently.
Within 18 months, GSA is to go further by leveraging these efforts to receive automatically, via machine-readable means, FedRAMP authorization, and continuous monitoring artifacts. The memo requires agencies to ensure that their governance, risk, and compliance tools and their system inventory tools are capable of producing and ingesting authorization packages that are machine-readable using Open Secure Control Assessment Language, or OSCAL, or any successor protocol defined by FedRAMP.
Presumption of Adequacy
One of the big new features of the policy is the “presumption of adequacy.” This principle mandates that if a cloud service has a FedRAMP authorization at a given Federal Information Processing Standards (FIPS) 199 impact level, agencies must presume the security assessment documented in the authorization package is adequate for their use. The assumption is made to add consistency and coherence to what the federal government needs from cloud providers.
“FedRAMP should reduce duplicative work for agencies and companies alike, bringing a measure of consistency and coherence to what the federal government requires from cloud providers,” the memo states.
Leveraging Third-Party Frameworks
There are also efforts to leverage third-party frameworks, through both automation and the presumption of adequacy, including SOC 2, Type 2, ISO, and HITRUST. The director spoke about the potential of these frameworks to further streamline the authorization process in a recent interview with Federal News Network.
“What we see is both external like other governments and other entities using FedRAMP as an authorization in lieu of having to go through a lot of other authorizations. It’s right where the maturity level in the federal government, where we can start leveraging those frameworks to get people authorized faster,” he said.
Building a Supply Chain of Trust
Similarly, as part of the modernization effort, the Program is implementing a trust-based supply chain. This involves a strategic pivot towards agency authorizations, joint authorizations by multiple agencies, and program authorizations by the FedRAMP PMO. These are focused on leveling the playing field, and raising the baseline for security through all authorizations.
Future of JAB Authorizations
Eric Mill, Executive Director for Cloud Strategy at GSA, discussed the future of Joint Authorization Board (JAB) authorizations. He also stressed that program authorizations are going to be important to ensure that those CSPs who do not have an agency sponsor are authorized.
“Our commitment to them that we’ve made privately and publicly is that we’re going to get them through the process. For a number that do have an agency sponsor, and what may or may be one or more agencies that will help them through. That is probably going to be the most straightforward way for some of them who have those relationships,” Mill said.
Strategic Hiring and Skill Enhancement
The FedRAMP PMO has lately been on a hiring spree in a bid to bring on specific skill sets for enhancing automation and strategic decision-making, supporting the modernization efforts. This is intended to help drive effectively the implementation of the new policy.
Industry and Congressional Support
There has been encouragement of the new guidance from leaders in industry and Congress. GSA Administrator Robin Carnahan made comments on the administration’s commitment to using technology to improve government service.
“This highly anticipated guidance further equips GSA to make it safe and easy for Federal agencies to deploy state-of-the-art technology to deliver better service to the American people,” Carnahan stated.
Rep. Gerry Connolly, D.-Va., chimed in with his own affirmation of the update, commenting that “implementation of the FedRAMP Authorization Act and continued improvements to FedRAMP will ensure the program is executing its mission of cloud safety and security for Federal agencies.”.
Brian Conrad, former acting director of the FedRAMP program, said automation and reusable authorization processes were the most important things to get done first to solve today’s problems.
“The guidance will encourage efficiency and streamline the implementation process for the much-needed cloud solutions of today – safely, securely and promptly,” Conrad said.
Implications for the Future
Expect this new FedRAMP policy to have major implications for the future of federal cloud security. By embracing automation and leveraging existing authorizations, the policy should create a more efficient and secure environment for cloud adoption. Emphasis on third-party frameworks and the establishment of new paths of authorization reflects a flexible approach that can be responsive to changes in the cloud landscape. As agencies implement these changes, the focus on reduced duplication and enhanced security is likely to spur the adoption of innovative cloud solutions more quickly, driving better, safer services for the American public.