As federal agencies heavily leaned into cloud computing solutions this past year, Congress and the General Services Administration are making strides to strengthen FedRAMP strategies, communications and capabilities.
One of these FedRAMP-boosting actions is in the potential passing of the FedRAMP Authorization Act this year, Rep. Gerry Connolly said during an event last week. Connolly has championed FedRAMP and in recent years has pushed to revamp the program with the FedRAMP Authorization Act. After the House passed the bill in January, Connolly said he’s working closely with Senate partners to pass the legislation this year.
“We’re now working in lockstep with our colleagues over there to try and finally get this bill marked up in the Senate or attached to this year’s National Defense Authorization Act,” Connolly said.
The bill proposed to reduce duplication of security assessments and other barriers that agencies may face in cloud adoption by establishing a “presumption of adequacy” for cloud products that are already FedRAMP certified, Connolly said, adding that it would help avoid redundant costs.
“This presumption of adequacy means that cloud service offerings met baseline security standards established by the program and should be considered for use across the federal government,” Connolly said. “Once certified, service providers will no longer have to start from scratch at each and every federal agency to demonstrate the viability of their products and services.”
Along the lines of reducing redundancies, the bill will help agencies reuse technologies that already have authorizations to operate by requiring agencies to check a centralized and secure repository. It also would form a federal secure advisory committee to facilitate dialogue across GSA’s agencies, cybersecurity and procurement officials and industry representatives to coordinate better federal cloud adoption. The legislation would overall authorize $20 million in annual appropriations for the FedRAMP program as well.
Connolly’s hopes for congressional support of bolstering FedRAMP come amid a year of significant increases in cloud adoption across federal agencies and concern around cybersecurity. FedRAMP Acting Director Brian Conrad mentioned that he has seen demand for cloud services rise 85% higher than before the COVID-10 pandemic.
While Connolly awaits the passage of his legislation in the Senate, FedRAMP is taking steps of its own. Conrad highlighted some of these initiatives, one of which was FedRAMP’s collaboration with the National Institute of Standards and Technology to release version one of OSCAL, the Open Security Controls Assessment Language.
“This release also marks an important milestone for the OSCAL project and for early adopters and implementers of security automation with OSCAL,” Conrad said. “As a result of machine-readable authorization packages, we anticipate several positive impacts. For one, cloud service providers are going to be able to create their system security plans more rapidly and accurately, validating much of their content prior to government review.”
Conrad added that with OSCAL v1, agencies will be able to expedite their FedRAMP security authorization package reviews, and third-party assessors can automate the planning, execution and reporting on cloud assessment activities. With OSCAL, FedRAMP can also build out its efforts in continuous monitoring authorization.
“We’ve developed a web services API specification that will allow cloud service providers who are leveraging OSCAL to push and pull data from the cloud service providers into a secure repository through this application programming interface,” Conrad said. “This is going to eliminate a lot of the manual processes that we have now on both the cloud service provider and the FedRAMP PMO.”
Alongside OSCAL, FedRAMP is developing conversion tools that will “significantly reduce the time to review security deliverables,” Conrad added. The program office will also soon pilot some of the new validation tools with users.
Another critical area that Conrad highlighted is in FedRAMP’s threat-based authorization approach. For this initiative, FedRAMP partnered with the Cybersecurity and Infrastructure Security Agency to score security controls on how well they protect, detect and respond to real-world threats.
“With a threat-based approach, cybersecurity authorizations can be achieved theoretically faster, use fewer resources and be more secure because those authorizations and the control implementations are focused on the current threat landscape,” Conrad said. “FedRAMP is using this threat-based approach as we apply it to the NIST 800-53 Rev. 5 controls as we evaluate our new baselines based on that control catalogue.”
The treat-based authorization approach will hopefully enable agencies, cloud service providers and other industry partners to prioritize security control implementation that is relevant and effective against the threat environment of today, Conrad said. He added that FedRAMP expects the approach to provide informed risk management and potential for faster authorization timelines.
Beyond authorizations and security strategies, FedRAMP is also looking to focus on outreach and communications this year. More specifically, the program office is expanding communications with cloud service providers through standardization and automation of messages at each stage of its authorization process. FedRAMP is also working to provide more clarity with its guidance updates.
“We want to make sure that our guidance and documents and templates are clear and simple and easy to use for all the stakeholders,” Conrad said. “Recently we released the federal incident communications procedures. We’ve released the vulnerability scanning requirements for containers. We’ve updated the FedRAMP low, moderate and high baselines.”
FedRAMP is further focusing on its agency liaison program, which launched last year to increase knowledge of and cooperation with FedRAMP at the agency level. The program office also redesigned its website this year to improve the user experience and make FedRAMP information and resources more accessible, Conrad said.