The Federal Risk and Authorization Management Program (FedRAMP) held a kick-off meeting on Thursday for its new Continuous Reporting Community Working Group, which will look to leverage automation to support a future state where ongoing risk monitoring is enforced, validated, and reported continuously.
Program officials explained that this approach aligns with DevSecOps best practices, which empower engineers to define their cloud infrastructure with automated function and security testing.
“This working group is dedicated to the next major iteration of FedRAMP,” said a FedRAMP staff member on today’s call.
“The new approach embraces what makes the cloud model great – like rapid iteration and continuous integration and deployment – rather than imposing outdated point-in-time assessments on the cloud model,” the staff member said.
“By leveraging near real-time metrics generated at the machine level, FedRAMP is establishing a more robust and efficient means for cloud service providers to demonstrate their security posture to agency customers,” they added.
According to FedRAMP staff, the technical infrastructure supporting this new approach “will rely heavily on automation,” particularly application programming interfaces (APIs) and dashboards of trending risk visualizations that will provide agency stakeholders with “holistic and actionable insights into the nuanced risk landscape of their cloud systems.”
“By leveraging infrastructure and security as code wherever possible and utilizing automated APIs and dashboards to visualize risk trends, FedRAMP aims to reduce administrative overhead, improve visibility, and empower agencies to make risk-based decisions through transparent, trend-based security indicators that move beyond subjective assessments,” the staff member said.
The target audience for the new working group is cloud service provider (CSP) and Federal agency security teams responsible for the oversight and maintenance of FedRAMP Authorized cloud services. Those could include CSP system owners, CSP or agency chief information security officers, CSP or agency information system security officers, and security directors, among others.
However, program staff noted that the working group is open to the public and not limited to the target audience.
FedRAMP created the Continuous Reporting Community Working Group – along with three other working groups – as part of its “20x” revamp unveiled on March 24. The revamp is placing a heavy focus on automation to speed the approval process for secure cloud services authorized by the program.
On March 31, the program launched its new Rev 5 Continuous Monitoring Working Group, and unveiled plans to unwind the program’s historical role of providing continuous monitoring for cloud services authorized by FedRAMP.
On April 2, the program kicked off its new Automation Community Working Group that is exploring the possibility of creating key security indicators (KSIs) that could help the program more rapidly evaluate the security of cloud services.
Finally, on April 8, the program launched its new Applying Existing Frameworks Working Group, which is aiming to maximize its use of existing commercial security frameworks and reduce redundant documentation requirements.