More than two and a half years into the Federal Risk Authorization and Management Program (FedRAMP), program managers are calling the initiative a success but looking forward toward significant improvements.
The office put together a roadmap for the next two years and released the document — "FedRAMP Forward" — on Wednesday.
The roadmap (see the full timetable below) includes a number of key initiatives centered on increasing awareness of the program's core components, improving efficiencies in authorizations and implementation and continuing to adapt to the ever-changing world of cyber.
RELATED
FedRAMP updated to comply with NIST guidelines
FedRAMP OnRAMP eases cloud compliance
Cloud to get original SIN on IT Schedule 70
Learning from the last 30 months, the program office is planning to start — or restart — a number of initiatives, including relaunching FedRAMP.gov as a central repository for information and updates, creating a high baseline for sensitive data and developing security overlays to give agencies a singular view of compliance with the various requirements mandated by federal law.
But the most significant change moving forward is geared toward lowering costs while simultaneously speeding up the authorization process.
The roadmap points out that each authorization costs the government approximately $250,000 and takes between six and 10 months to complete.
"A framework by which agencies can reuse these authorizations is critical," the report reads. "FedRAMP's 'do once, use many times' framework creates a multiplier effect of cost savings for agencies using the same cloud environments."
Program managers are looking to give a wider, enterprise scope to the authorization process, including within agencies and across government. To achieve this, managers will be setting up inter-agency working groups to identify service providers and products that are used in multiple areas.
"The first thing we always hear from agencies is, 'Why should I do it first because then everyone else is getting it for free,'" FedRAMP Director Matthew Goodrich said. "So we want to make sure we're showing the benefits of FedRAMP across the government. If you do one, another agency does one, you're all going to benefit in the end. The entirety of government is going to save in the end."
For example, a single agency might need to approve several cloud providers for various services. The time and cost for doing all of these would be prohibitive.
At the same time, other agencies with similar needs might be working on the same issue and finding the time and cost commitments equally daunting.
Rather than operating separately, well-crafted working groups would be able to divide the work among several agencies, saving time and money without sacrificing rigor.
"The intent is for agencies to assume the bulk of responsibility for authorizing the cloud providers they use," said Kathy Conrad, acting associate administrator for the Office of Citizen Services and Innovative Technologies.
The Joint Authorization Board (JAB) would still be the main authorizers for "those that have very high use across government and where it is more appropriate for the JAB to take that government-wide view," Conrad said.
Per the schedule, the working groups are expected to launch within 12 months.
Timeline of initiatives over next two years:
6 Months
■ Baseline FedRAMP use across federal government with various data points including PortfolioStat and FISMA reporting
■ Provide practical implementation guidance for agency ATOs for initiating assessments and authorizations, reuse of ATOs and implementing solutions within an ATO cloud service
■ Publish draft multi-agency authorization methodology following FedRAMP Security Assessment Framework (SAF)
■ Develop and launch online FedRAMP training program
■ Relaunch FedRAMP.gov to improve user experience and usability
■ Publish agency procurement guidance in collaboration with OMB and OFPP
■ Publish guidelines for third-party assessment organizations (3PAOs) to address inconsistencies for security assessment activities, artifacts and methodologies
■ Identify existing workflow tools, control automation and document automation capabilities
■ Publish draft requirements for reuse of external industry compliance evidence for assessment, authorization and continuous monitoring
■ Publish roadmap for evolution of continuous monitoring to include ongoing authorizations, near real time risk analysis and greater emphasis on risk management
■ Publish guidelines with key indicators for authorizing officials to effectively perform risk analysis and more readily identify and respond to changes in risk posture of systems with existing authorizations
■ Publish draft high baseline for public comment
■ Develop framework for FedRAMP assessment overlay for compliance with relevant IT policies
■ Publish draft initial FedRAMP assessment overlay with one to two IT policies
12 Months
■ Normalize agency reported data and enhance guidance on agency reporting of FedRAMP and cloud statistics through PortfolioStat
■ Document agency success stories for FedRAMP, establishing a best practice reference guide
■ Identify and launch working groups for multi-agency authorizations
■ Publish draft multi-agency continuous monitoring methodology following FedRAMP SAF
■ Develop FedRAMP training module for agency procurement officials
■ Develop FedRAMP 3PAO training module in concert with FedRAMP Accreditation Board
■ Update 3PAO requirements to ensure consistency for security assessment activities, artifacts and methodologies
■ Conduct Industry Day on tools and processes for automation of CSP documentation and assessment and continuous monitoring evidence
■ Identify and map one external industry compliance framework for reuse of evidence for assessment, authorization and continuous monitoring
■ Publish guidelines and requirements for automating and correlating continuous monitoring data across agency and JAB authorized systems
■ Finalize high watermark baseline
■ Conduct concurrent assessments of FedRAMP and additional IT policies
18 Months
■ Identify procurement options for agencies to obtain FedRAMP implementation support
■ Publish report documenting current status of FedRAMP metrics and statistics
■ Develop targeted FedRAMP training module for agency program managers
■ Publish draft requirements for automation of FedRAMP documentation
■ Complete pilot assessment of one CSP reusing evidence form external compliance framework
■ Automate and correlate continuous monitoring data across two agency and two JAB authorizations
■ Identify need for additional agency baseline requirements
■ Finalize FedRAMP assessment overlay framework
■ Publish formal guidance methodology for assessment overlay IT mandates
24 Months
■ Transition of continuous monitoring from JAB to multi-agency model for JAP P-ATOs that do not reach or achieve government-wide use
■ Continued updates to reference and guidance documents
■ Finalize automation requirements for FedRAMP documentation
■ Publish additional mappings of external industry compliance framework for evidence reuse
■ Automate and correlate continuous monitoring and incident reporting data across all JAB and participating agency FedRAMP authorizations
■ Publish draft flexible baseline based on identified agency needs
■ Develop two additional FedRAMP assessment overlays for compliance with additional IT initiatives
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.