As the Federal Risk and Authorization Management Program (FedRAMP) gears up for its 20x Phase Two pilot, it released this week two new requests for comment (RFC) and a new Vulnerability Detection and Response (VDR) Standard.
The General Services Administration’s (GSA) FedRAMP aims to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.
In March, the program launched FedRAMP 20x, a revamp effort that places a heavy focus on automation to speed the approval process for secure cloud services authorized by the program.
Qualifying cloud service offerings that successfully complete Phase One – which ended last month – will receive a 12-month FedRAMP Low authorization and will be prioritized for FedRAMP Moderate authorization in Phase Two.
FedRAMP said it plans to officially announce the FedRAMP 20x Phase Two on Sept. 24.
New 20x VDR Standard
In preparation for Phase Two, FedRAMP released the 20x Vulnerability Detection and Response Standard on Sept. 10 based on the outcomes from a request for comment issued in July on the Continuous Vulnerability Management Standard.
FedRAMP said the new 20x standard “formalizes requirements for FedRAMP Authorized cloud service offerings to proactively and continuously identify, analyze, prioritize, mitigate, and remediate vulnerabilities. It emphasizes automated detection and response, ensuring robust and efficient security practices.”
The FedRAMP team said the 20x VDR standard will streamline vulnerability management for cloud service providers (CSPs); enable federal agencies to make risk-based authorization decisions with easily consumable security data; and move away from outdated, manual processes to automated approaches.
This release is effective Sept. 15 for FedRAMP 20x.
“Phase One Pilot participants have one year from authorization to fully implement this standard but must demonstrate continuous quarterly progress,” the standard says. “Phase Two Pilot participants must demonstrate significant progress towards implementing this standard prior to authorization.”
As for FedRAMP Rev 5, this release is “tentatively” effective Oct. 8.
Requests for Comment
FedRAMP also published two requests for comment on Sept. 11 to help advance cloud security and efficiency.
The first, RFC-0014: Phase Two Key Security Indicators, proposes changes to existing key security indicators (KSIs) and introduces new ones for both FedRAMP Low and Moderate authorizations.
“It emphasizes automated validation for Moderate authorizations, moving beyond written attestations accepted in 20x Phase One,” the FedRAMP team said.
Key security indicators summarize the security capabilities expected of a CSP that wants to obtain and maintain a FedRAMP 20x authorization.
The RFC summarizes changes to KSIs that FedRAMP said were either “ineffective, unclear, or insufficient.” The new KSIs aim “to resolve outstanding gaps and integrate additional controls,” according to the RFC.
The second, RFC-0015: Recommended Secure Configuration Standard, aims to formalize FedRAMP requirements and recommendations for secure configurations of cloud service offerings. The standard is required by Executive Order 14144, as amended by President Donald Trump in Executive Order 14306.
“Cloud service providers nearly always provide guidance to customers with recommended secure configurations for critical services. This standard formalizes requirements and recommendations from FedRAMP about specific recommendations on secure configurations that agency customers should have in advance while setting up a cloud service offering,” the RFC says.
When formalized, this standard will apply to both FedRAMP 20x and FedRAMP Rev 5.
Responses to both of the requests for comments are due by Oct. 10.