The Federal Risk and Authorization Management Program’s (FedRAMP) Applying Existing Frameworks Working Group reported on April 22 that it has been gathering initial input on ways to maximize the program’s use of existing commercial security frameworks, and is drilling further down into that topic by posing questions about machine-readable formats and shared commercial-Federal framework environments.
The working group has also surfaced a strong consensus on the compelling value of employing automation in security compliance, FedRAMP staff said.
The working group kicked off on April 8 with a public meeting that defined the group’s aims to boost the use of commercial security frameworks and reduce redundant documentation requirements as part of FedRAMP’s “20x” program revamp.
The Applying Existing Frameworks Working Group is one of four new working groups created by the program to hash out how the 20X program will deal with existing frameworks, continuous monitoring, automating assessments, and continuous reporting. Each of the groups is holding bi-weekly open meetings to chart progress, along with soliciting feedback on open GitHub pages.
During the April 22 meeting of the existing frameworks group, FedRAMP staff talked about some of the main feedback themes that surfaced thus far, and said staff was steering further discussion toward “questions about machine-readable formats, what should be considered for accepting commercial frameworks, and soliciting information on shared commercial and federal environments.”
“We’ve seen a lot of really interesting themes in the discussions,” said a FedRAMP staffer during the April 22 meeting, who said discussions have “revealed strong support for leveraging existing commercial security frameworks.”
“Several established mappings to existing federal standards were identified, including ISO, CIS controls, Cloud Security Alliance CCM and HITRUST and SOC2 trusted services criteria,” the staffer said.
“These existing mappings demonstrate substantial overlap with the federal requirements and could potentially streamline the assessment process for organizations already certified under these frameworks,” the staffer said.
“While there’s general agreement that framework reuse could help reduce costs and streamline the authorization process, participants also emphasize the importance of maintaining FedRAMP security rigor,” the FedRAMP staff member said.
“The feedback strongly indicates that CSPs [cloud service providers] rarely pursue FedRAMP as their first security certification unless they are specifically developing solutions for the federal government use,” they said.
“The primary barrier is what’s known as the ‘valley of death’ where companies struggle to obtain federal contracts without FedRAMP authorization, but find it difficult to justify investment in the ramp without guaranteed federal business,” the staffer explained.
“The discussion also revealed strong consensus that numerous existing commercial frameworks provide comprehensive coverage for continuity planning, eliminating the need for FedRAMP to develop new materials,” the staffer said.
Key frameworks mentioned have included ISO, HITRUST, CMMC, NIST, and SCF, the staffer said.
“The community supports the concept of reciprocity between FedRAMP and other authorization programs, particularly at the state level certifications, but emphasizes the need for careful consideration of varying security requirements and validation processes,” the staffer said.
“Finally, the community has provided valuable insights regarding which aspects of security compliance can be automated and which require human intervention,” they said. “There’s broad consensus that automation can significantly reduce the manual effort, potentially up to 95 percent but certain areas will still require human judgment and contextual understanding.”
The working group’s next public meeting is set for May 6 and related discussions before then can be viewed on the group’s GitHub page.