Officials with the Federal Risk and Authorization Management Program (FedRAMP) explained today that the program plans to unwind its historical role of providing continuous monitoring for cloud services authorized by FedRAMP following sharp cuts to the program’s workforce.
Earlier this year, FedRAMP reduced its workforce by letting contracts expire for about 80 contractor employees, leaving it with approximately 18 full-time government employees working for the program, which is administered by the General Services Administration (GSA).
Sources told MeriTalk earlier this month that FedRAMP in February began canceling regular monthly meetings with to go over continuous monitoring requirements with firms whose cloud service offerings had already received authorizations.
Speaking today at the inaugural meeting of its new Rev 5 Continuous Monitoring Working Group, Paul Agosta, cloud security officer at FedRAMP, explained the still unfolding future for the program’s continuous monitoring activities.
Agosta said the purpose of the working group – whose meetings are set for every two weeks in a public forum – is “understanding preferred pathways for transitioning current FedRAMP manage continuous monitoring activities.”
“We’re shifting our posture and only focusing on providing those services that meet our statutory obligations,” Agosta said.
“For the past few years, we’ve been providing additional continuous monitoring activities for certain agencies and joint processes,” he said. “We will not have the manpower to continue to support these activities and will work with the community and those affected to gracefully sundown or transition those.”
“What is changing … is the way we support some of the greatest greater continuing monitoring efforts,” he said. “We will no longer be centralizing continuing monitoring efforts and any portions of reviews and analysis we have historically supported in that will transition over to the appropriate parties.”
That transition, Agosta explained, is at the heart of the program’s intent in creating the new working group that held its first meeting today.
“This group is focused on legacy processes,” he explained. In addition to driving toward preferred pathways for managing continuous monitoring, he said the group is aiming to share “best practices and lessons learned within community, within continuous monitoring across the community.”
Noting that the program should hit the milestone of 400 authorized services in the marketplace within days, Agosta said, “While the baseline requirements are standardized across those services, the implementation of the ‘how’ across customers vary.”
“Some CSPs [cloud service providers] have expertly navigated huge multiagency continuous monitoring programs, and some have turned to unique dashboards,” he said. “This is an opportunity for us as community to share what has worked and what hasn’t.”
Lastly, he said, “This forum will be utilized to keep folks abreast of pending changes in the FedRAMP authorization process.”
Elsewhere during his remarks, Agosta reiterated statements made by FedRAMP Director Pete Waterman last week when GSA unveiled its new “20x” version of FedRAMP, including a heavy focus on automation to speed approval processes and a renewed pledge to work with industry to “develop a new, cloud-native approach to authorizations” with the goals of making FedRAMP authorizations “simpler, easier, and cheaper while continuously improving security.”
“First off … the current Rev. 5 agency-based authorization process will remain open without significant changes, this includes your annual assessments [and] your significant change requests as well,” he said.
Agosta noted the recent spike in FedRAMP authorizations – which he attributed to efforts of “the overwhelming majority of the FedRAMP workforce” to reduce the current backlog of applications.
In addition to bringing all hands on deck for that effort, he said, “The other thing that we’ve done to kind of shift and increase the authorization throughput has been shifting our internal processes a little bit to accommodate this.”
“We’ve traditionally worked with stakeholders to get the entirety of the authorization packet either perfect or close to perfect prior to authorization,” he said. “This approach has required multiple review meetings and took months to finalize for each cloud service provider.”
“While our internal review is still similar under the new process, we are no longer waiting for your documentation to be 100 percent right before authorizing,” he said.
“If our review identifies deficiencies within your paperwork processes or posture, we’ll start by documenting and analyzing those,” he added. “If those deficiencies are considered minor or administrative in nature, we’re pushing the authorization through, and you’ll be provided with a timeline in your authorization memo where you’ll need to remediate each of those deficiencies, have an independent assessor attest that those are fixed, and your agency acknowledges completions.”
“If those issues are considered show stoppers in nature, or we are unable to make a determination, we will work to establish a meeting and put together a corrective action plan prior to authorization,” Agosta said.
“Once the backlog is cleared, the PMO will continue to process Rev. 5 agency authorizations based on demand,” he said. “The assessments and materials included in the Rev. 5 agency authorization shall be presumed adequate for agency reuse of that FedRAMP authorization, that process is not changing.”
“Rev. 5 agency authorizations will remain the only active path to FedRAMP authorization until other paths are finalized and the community has moved on to something better,” he said.