The Federal Risk and Authorization Management Program (FedRAMP) today kicked off a public working group that will explore the possibility of creating key security indicators (KSIs) that could help the program more rapidly evaluate the security of cloud services.
That effort is being undertaken by FedRAMP’s new Automation Community Working Group, which the program created as part of its “20x” revamp unveiled on March 24. That effort is placing a heavy focus on automation to speed the approval process for secure cloud services authorized by the program.
As part of the revamp, GSA is pledging to work more extensively with industry to “develop a new, cloud-native approach to authorizations” with the goals of making FedRAMP authorizations “simpler, easier, and cheaper while continuously improving security.”
A FedRAMP program office staff member listed several initial goals today for the new working group.
The first of those is to “explore possible key security indicators that may help to rapidly evaluate the security of a service.”
The second, the staff member said, is to “discuss the technical specifications for the reporting and transmission of machine-readable requirements and security attestations between FedRAMP the CSPs [cloud service providers], auditors and agencies.”
The third is to “take a look at current and future capabilities for automated security assessments and evaluations,” and the fourth is to “work with developers to find effective solutions to integrate security assessment and reporting into the existing products, infrastructure and monitoring,” the staff member said.
Another FedRAMP program office staff member explained that through the automation effort “our desired end state is that agencies have accurate, reliable and timely information about the security and risk posture of the services they use with a minimum burden possible on the cloud service providers.”
Comparing the intended development of KSIs to traditional FedRAMP processes, the staff member said, “The traditional FedRAMP packages contain hundreds or even thousands of pages of text, screenshots, and logs, which are expensive to produce and keep current.”
“They usually provide little additional value to the CSP, and they are complicated and time consuming for the government to consume and evaluate,” the staff member said. “This process worked okay when we built large, siloed systems that changed infrequently over time, but for modern cloud services that iterate constantly and are often part of a web of related services that are needed for an agency to accomplish a mission, this model is too expensive, too complicated, and way too slow.”
The KSI model’s goal, the staff member said, “is to identify results that indicate a mature secure system and to summarize risk in a way that is easy for the consumer to understand.”