The recently announced changes to one of the government’s most important security programs are a good start, but additional fixes are needed.
Dave McClure (above) hopes that agencies aren't starting from ground zero when doing a FedRAMP assessment on a cloud vendor.
When I led the design and initial implementation of the Federal Risk and Authorization Management Program, we knew it would be evolutionary and that changes were inevitable in order for it to scale. So the recent announcements of forthcoming FedRAMP revisions are a welcome tune-up to one of the most important security programs in government.
After listening to industry, government and third-party assessment organizations (3PAOs), the FedRAMP program management office is taking important steps to make the process more predictable, transparent and streamlined.
Here are the most notable changes:
- A FedRAMP Readiness Capabilities Assessment performed by an accredited 3PAO will be required of all CSPs going through a Joint Authorization Board review. This is analogous to “pre-assessments” now done by some 3PAOs and will facilitate a decision on whether or not the solution will pass the assessment process while reducing the current fixation on documentation. (See FCW's previous coverage for more on the new JAB and FedRAMP Ready processes.)
- A FedRAMP high baseline is being tested and will be put in place shortly.
- Defense Department Security Requirements Guide levels are being mapped to FedRAMP moderate and high baselines, which will ensure greater congruence between the defense and civilian cloud assessment processes.
Those changes are clearly steps in the right direction. However, if a genie granted me three wishes for additional FedRAMP changes, I would argue for the following:
1. All federal cloud service acquisitions must be grounded in FedRAMP certifications. It is admirable that some 80-plus cloud solutions have FedRAMP-backed authority to operate, and many more are in the pipeline. But agencies are using hundreds if not thousands of cloud solutions without FedRAMP authorizations on file. That creates market confusion and uneven ground in competition for cloud services, and a huge disincentive for companies to spend the resources to obtain FedRAMP ATOs.
If FedRAMP is mandatory, then the Office of Management and Budget should enforce it (through TechStat, portfolio reviews and the budget process) and apply it to both new and existing cloud-based services in government.
2. Agency use of pre-existing FedRAMP Ready assessment packages must become mandatory. This is not currently required, and it continues to undermine the original desire to have agencies do the bulk of cloud security assessments under FedRAMP. Put simply, an agency should not be starting from ground zero when doing a FedRAMP assessment on a cloud vendor solution that has already received an ATO from another agency or JAB.
Yes, the risk profile of an agency might be different, and that is a legitimate reason for doing some additional or modified security controls testing. But throwing the baby out with the bath water should not be allowed. To do so would take us back to a Federal Information Security Management Act-like paradigm with duplicative assessments.
3PAO and JAB assessment reuse was a foundational tenet for FedRAMP. CSPs should have a hotline into the FedRAMP PMO and/or OMB’s e-government office to report suspected deviations, and OMB must be able to review and change agency directions if necessary.
3. The government should provide more transparency and information on how JAB will prioritize its reviews of FedRAMP Ready solutions. CSPs must make business decisions about whether and when to pursue FedRAMP authorizations through JAB or with an agency. Because the CSP Supplied route has been scrapped, companies with little or no past government business don’t have a clear option. They can go through the review process and become FedRAMP Ready, but without knowing how JAB is prioritizing its review queue, the CSP is put in a difficult position with unclear options.
NEXT STORY: Protecting physical infrastructure with cyber