FedRAMP (the Federal Risk and Authorization Management Program) is looking to automation and reciprocity with industry standards in different sectors as it focuses on improvements in 2019, said Ashley Mahan, director of the FedRAMP Project Management Office (PMO), at FCW’s Cloud Summit today.
“We truly believe that automation is something that we can and want to incorporate into the authorization process,” she said. “We’re really looking to see how we can incorporate automation into the documentation component and the continuous monitoring component so it’s not as burdensome to our cloud vendors as well as to agencies,” she said. Mahan specifically highlighted robotics process automation and Open Security Controls Assessment Language (OSCAL) as opportunities.
Another policy effort queued up for 2019 is increased guidance on emerging technologies from a risk management standpoint and how they apply to FedRAMP, in order to “stay one step ahead in creating guidance,” said Mahan. The PMO is also enhancing the third party assessment organization program with a test to ensure full understanding of requirements and regulatory frameworks.
FedRAMP is also looking to learn from, and explore, reciprocity with standards outside the Federal government.
“We’re doing a lot of conversations with different sectors out there, with different industry providers that maintain multiple compliance programs, to really do some learning and see if maybe we can use some of that, or account for some of that in our authorization process,” she said.
Educating both industry and agencies about FedRAMP is another key goal for the PMO. Mahan noted that her team had brought on a learning manager, and is aiming to put more training materials online, supplementing the in-person training of over 250 information systems security officers last year. On the flip side, Mahan noted that FedRAMP is taking lessons learned from innovative pilots like the Air Force’s Kessel Run to find synergies and lessons learned.
Mahan’s presentation also included some statistics on FedRAMP’s success, with 156 participating agencies, 750 meetings with agencies and industry last year, and authorizations reused by Federal agencies over 1,000 times since the program’s inception.
The expansion of FedRAMP also has a benefit to citizens as well, she said.
“One-third of the world’s internet traffic goes through providers that have a FedRAMP authorization. Why should you care about that? Because a lot of our environments are also public environments, so as a citizen, if you’re using any of these environments, the citizen information that’s going in and out of these environments is also protected,” she said.