The Federal Risk and Authorization Management Program (FedRAMP) issued calls for comment today on three significant program changes as part of the FedRAMP 20x program revamp announced last month by the General Services Administration (GSA), which runs the program.
Today’s calls for comment follow several meetings over the past month of four new FedRAMP working groups exploring program improvements in the areas of continuous monitoring, automating assessments, applying existing frameworks, and continuous reporting.
The ongoing program revamp is placing a heavy focus on automation to speed the approval process for secure cloud services authorized by FedRAMP, and make the process of obtaining program authorizations simpler, easier, and cheaper while continuously improving security.
Under the first of those three calls for comment, FedRAMP said it plans to replace an existing Significant Change Request process “with an updated Significant Change Notification standard.” According to FedRAMP, “the process asserts authorizations granted to cloud service providers include the authority to make changes that are in the best interest of agency customers without asking permission from an authorizing official in advance, in most cases.”
Under the second call for comment, the program is proposing to create Key Security Indicators (KSIs) that will create “an abstraction layer to summarize the security capabilities expected of a cloud-native service offering to meet FedRAMP Low authorization requirements.”
“These Key Security Indicators will be updated after public comment and formalized for use in the FedRAMP 20x Phase One Pilot to grant FedRAMP Low authorizations,” the program said. “During Phase Two, Key Security Indicators will be expanded for FedRAMP Moderate authorizations.”
“Authorization packages based on Key Security Indicators must be machine-readable, supported by evidence, and should include automated technical validation whenever possible,” the program said in its call for comment.
Under the third call for comment, the program is proposing a “FedRAMP Minimum Assessment Scope” that “proposes an approach to assessing the security of federal information handled by cloud services that provide services to federal agency customers by including all information resources managed by a cloud service provider and their cloud service offering that”: 1) handle Federal information; and/or 2) likely impact confidentiality, integrity, or availability of Federal information.
“Information resources where (1) or (2) do not apply, including most metadata, should be excluded from FedRAMP assessment,” the program said.
Comments for each of those items are due on May 25.
In a blog post announcing the calls for comment, the FedRAMP program recapped progress over the past month from its program office and working groups. It also pointed to a very busy schedule for further possible program changes.
Under the heading of “Next Month: 20x Phase One Pilot & Continuous Improvement,” the program said that its 20x Phase One pilot is open to the public and explained that “qualifying cloud service offerings that successfully complete Phase One will receive a 12-month FedRAMP Low authorization and will be prioritized for FedRAMP Moderate authorization in Phase Two.” It added that “federal agency sponsors are not required to participate in Phase One.”
“We’ve done all of this while managing a shifting resource landscape, with the loss of many in our wider community that have been a part of the program for over a decade,” the FedRAMP team said.
“As circumstances and priorities change across the government, our attrition rate is lower than anticipated a month ago,” the program said. “We said goodbye to many people this month, including four federal staff and 26 contracted security reviewers who supported FedRAMP for many years and recently completed a record-breaking three month review marathon that exceeded expectations.”
“Our team still has the right folks to deliver against FedRAMP 20x expectations and will continue to demonstrate our commitment through collaboration with stakeholders and continuous incremental delivery,” the program said.