The Federal Risk and Authorization Management Program’s (FedRAMP) Program Management Office (PMO) is in the process of drafting a standard for low-impact key security indicators (KSIs) as part of ongoing work on the program’s “20x” revamp unveiled on March 24.
The program revamp is placing a heavy focus on automation to speed the approval process for secure cloud services authorized by FedRAMP.
As part of that effort, the General Services Administration – which administers FedRAMP – has pledged to work more extensively with industry to “develop a new, cloud-native approach to authorizations” with the goals of making FedRAMP authorizations “simpler, easier, and cheaper while continuously improving security.”
The current draft development effort on a standard for low-impact KSIs was revealed on April 16 during a meeting of FedRAMP’s recently created Automation Community Working Group.
The working group’s primary aim is exploring the possibility of creating KSIs that could help the program more rapidly evaluate the security of cloud services. In its kickoff meeting earlier this month, FedRAMP staff said the working group will “discuss the technical specifications for the reporting and transmission of machine-readable requirements and security attestations between FedRAMP, the CSPs [cloud service providers], auditors, and agencies.”
The group also aims to “take a look at current and future capabilities for automated security assessments and evaluations,” and to “work with developers to find effective solutions to integrate security assessment and reporting into the existing products, infrastructure, and monitoring,” a staff member said.
During the group’s April 16 meeting, FedRAMP staff members indicated that the current draft effort falls in line with the program’s aim to first tackle some areas of “low-hanging fruit” in its work, in addition to areas that involve more complex systems.
“The PMO is currently drafting a standard for low-impact, key security indicators,” a program staff member said on the April 16 call.
“By starting with the low impact, we can mitigate those concerns about large, complex systems – for now – in favor of developing concepts and … the minimum viable 20x process that can then serve as a jumping off point for those more complex systems,” the staff member said.
When the low-impact KSI draft is publicly released, the program will ask for feedback on the draft through a request for comment process, and FedRAMP will explain the contents of the draft in a blog post, the staff member said.
“In the near to medium term, the automating assessment working group will be focusing on cross-platform, trusted technical validation for the key security indicators,” a program staff member said.
“Obviously, we don’t have the key security indicators out yet, but once they are released, we’re looking forward to seeing engagement from this community on the development of prototypes, ideas for implementation on specific platforms, sample output or data generated from existing platforms as they relate to the KSIs and discussions around which KSI validations are possible to automate today, and validations that may need to be manually validated to start, as well as 3PAO [third party assessment organizations] engagement on all of this stuff,” a staff member said.
In explaining the drafting process, a second FedRAMP staff member acknowledged that “there’s been a lot of discussion about KSIs versus control families and how they map to NIST 853 controls.”
“As a PMO, we want to address that and say … when we’re designing key security indicators, we’re trying to maintain the spirit and intent behind the NIST 853 controls, but we will not be directly aligning with it, because, in short, 853 controls are very complicated, and in a lot of cases are not the best model for talking about security of cloud-based systems,” the staff member said.
“KSIs are best viewed as a list of values or goals that the government is expressing about the security of our systems, and then looking for the [cloud service provider] to respond to that with evidence demonstrating how you are achieving those security goals and objectives,” the staff member said.
Additionally, in covering working group discussions in recent days on the working group’s GitHub discussion thread, the staff member said that “one common concern was that more complex systems are going to be exponentially more difficult to achieve the level of automation that we’re looking for.”
“A lot of people have brought this up, it’s been part of many, many conversations … we want to say … just 100 percent understood,” the staff member said.
“Our plan here is to start with the easy stuff … We’re going to look at cloud-native, LI [low-impact] SaaS offerings hosted on a FedRAMP authorized PaaS or IaaS vendor,” the staff member said. “We want to start with something really simple, but we also want to avoid painting ourselves into a corner by building something that’s just unworkable for the more complex systems.”
“We understand that there are lots of edge cases and there are lots of more complex systems for which this is going to be a more complicated problem space to solve, but we still want to start with those easy, kind of low-hanging fruit offerings to prove out the program and learn about what our challenges are going to be,” they said.