FedRAMP looks to NIST for security control refinements
Connecting state and local government leaders
To speed cloud authorizations, the Federal Risk and Authorization Management Program is automating security control assessments and accrediting third-party assessors.
It's not just the large agencies that are taking advantage of the cloud. The Federal Risk and Authorization Management Program has seen great interest from smaller agencies that want to get cloud services approved for government use. The number of agencies involved in the FedRAMP authorizations has jumped to 135, 40 of which have been added in the past year.
FedRAMP officials want to continue to make it easier for agencies to get cloud service providers approved. The National Institute of Standards and Technology’s Open Security Controls Assessment Language, which speeds up the security controls assessment process through standardization and automation, will be available for testing by the end of this fiscal year, FedRAMP Director Matt Goodrich said at the June 13 ATARC Federal Cloud and Data Center Summit.
OSCAL automates FedRAMP’s security control assessments and tracks associated risks.
“We think [OSCAL] will really help agencies transform the way that they are doing their work by making sure that they can use whatever tool that they want to use and automate whatever they can in the process to do their authorizations,” Goodrich said.
Goodrich also provided an update on FedRAMP Tailored, a streamlined approval process for low-impact software-as-a-service offerings. He said 15 SaaS offerings are currently in process for authorizations with three already approved.
“Agencies can partner with vendors for authorizations, so vendors don’t need to have a third-party assessor or independent auditor,” Goodrich said. It allows agencies to "bring in new and innovative products from small businesses in a way that is cost affordable," he said.
When it comes to third-party assessors, FedRAMP plans add accreditation for individual assessors, with a hands-on testing program for such individuals rolling out over the next few months.
Improvements are also coming to the Joint Authorization Board process known as FedRAMP Connect. Starting this month, that process will shift from a biannual cycle to quarterly.
“It won’t impact our timelines to get to an authorization,” Goodrich said of the process. “We simply want to increase the pace at which we are selecting vendors so there is less lag time between when we prioritize and assess them in the JAB.”
FedRAMP Five
At the same event, Goodrich announced the winners of the FedRAMP Five Awards, which honor agencies and individuals who have demonstrated exceptional engagement in the FedRAMP process.
The Department of Health and Human Services won the large agency award. HHS has been the most active agency when it comes to FedRAMP authorized services, with 46 FedRAMP authorized or in-process SaaS offerings in use.
The Federal Communications Commission received the small agency award. The FCC has the most authorized and in-process SaaS offerings of any small agency at 17 and is an active participant in Information System Security Officer Training Days that support and improve the FedRAMP program.
Steven Hunt, the IT governance lead at NASA's Enterprise Managed Cloud Computing office, received large agency tech lead award. Hunt created an enterprisewide cloud framework to help NASA minimize its compliance burden and enable mission-supporting services.
Broadcasting Board of Governors CISO Greg Gray won the small agency tech lead award. Gray was instrumental in helping his agency get a FedRAMP Tailored ATO for Adobe Sign and Creative Cloud in nine weeks.
Daniel Pane, the FedRAMP lead at HHS, received the future leader award. He has worked to standardize FedRAMP efforts across HHS and has led support in sponsoring multiple cloud service offerings.