Federal agency demand for cloud service products in the General Services Administration’s (GSA) FedRAMP marketplace showed a 60 percent year-over-year jump in the first half of Fiscal Year 2021, as agencies continued their move to cloud services in order to deal with pandemic-driven tech needs and IT modernization priorities.
The Federal agency demand picture for cloud services was one of the main takeaways from an address by Acting FedRAMP Director Brian Conrad at an August 18 event organized by FCW. He also covered FY 2022 program goals and spoke at length about the importance of putting additional automation technologies in place.
Agency Demand Growth
Conrad said FedRAMP’s work on behalf of Federal agencies “has taken on greater urgency, given the continued need to work virtually in a secure environment, and use these new cloud technologies that have helped the government become more resilient.”
He said the results of the program’s work have grown dramatically in recent years, to a total of 230 authorized cloud service products in its marketplace currently, up from 200 in September 2020, and 100 two years before that.
The approved products, he said, have been reused across the government more than 2,600 times, “which reflects FedRAMP’s commitment to help the government shift to cloud, and use these new technologies to meet agency’s missions” and undertake IT modernization efforts.
“We’ve also seen a re-use increase of 85 percent for cloud products compared to the pre-pandemic period,” Conrad said.
Conrad said the program’s to-do list currently includes “simplifying the process, growing the FedRAMP marketplace, incorporating automation into our processes, and providing more learning opportunities for the FedRAMP community.”
OSCAL Effect
Among building blocks for the program in FY2021, Conrad said has been speeding up the pace of security authorizations, and doing so through the use of automation. “We’ve looked at automation as a cornerstone of making this FedRAMP process, cheaper, faster, simpler, and more secure,” he said.
“We partnered with NIST to develop the standard machine-readable language called OSCAL (Open Security Controls Assessment Language), and FedRAMP is applying this language to its security baselines and security packages material to enable the machine-readable package documents, and that’s going to be huge,” he said.
Coupled with that step, Conrad said, are “automated validations” that FedRAMP is developing to provide “a set of validation rules to enable automated package reviews” that will allow “FedRAMP to automatically conduct low-level reviews for things like completeness, consistency, adherence to formatting, things like that, as well as automated markups and reviews.”
“The importance of this is OSCAL sets the foundation for future automation efforts associated with the end-to-end authorization audit, or automating end-to-end the authorization process,” Conrad said.
“It’s enabling this machine-readable capability to reduce time from human resources,” he said. “The end state is reducing the level of effort by using automated validations to prepare, authorize, and re-use cloud products.”
Further on the automation front, Conrad said that “automation is going to change the way that the government and industry secure cloud technologies and reduce the manual efforts for security review process.” He continued, “in turn, automation is also going to ensure higher standards of quality, and thus increase the government’s overall technology security posture, and enable re-use.”
FY2022 Priorities
Among other priorities for “next year and beyond,” Conrad said FedRAMP plans to:
- Build an “automation strategy” and conduct pilots to “make appropriate changes based on the feedback that we get”;
- “Leverage OSCAL to automate the creation of additional FedRAMP artifacts such as the CIS and CRM”;
- Develop mechanisms to auto-generate documentation;
- Implement a tool that maps vulnerabilities from automated scans to security controls;
- “Establish thresholds and integrate security control implementation statuses into the threat-based risk profile”;
- “Develop and publish guidance for a federated cloud service provider in-boundary repository.”
“That’s one of the things that’s critical to our automation efforts is having a platform in which the tools can live, that’s one of the things that we’re looking to do,” Conrad said.
As a result, he said, “theoretically cloud service providers will be able to self-test their system security plans, validating much of their own content before submission to the government,” he said.
