The Federal Risk and Authorization Management Program (FedRAMP) issued a call on May 9 for public comments on a proposed update to its continuous monitoring reporting rules.
The call for comment is part of the General Services Administration’s (GSA) larger FedRAMP “20x” revamp unveiled in March that aims to speed the approval process for secure cloud services authorized by the program.
Central to that effort is GSA’s pledge to work more extensively with industry to “develop a new, cloud-native approach to authorizations” with the goal of making FedRAMP authorizations “simpler, easier, and cheaper while continuously improving security.”
“The Continuous Reporting Standard identifies Key Security Metrics that must be monitored by cloud service providers and made available to agencies and FedRAMP to maintain FedRAMP authorization,” the program said in a summary of the new standard.
“This standard is based on historical FedRAMP Rev 5 continuous monitoring standards that focused on direct scanning,” the program said.
“This standard also includes guidance on application, including requirements for how frequently Key Security Metrics should be reported,” the program said. “The standard does not propose specific formats or mechanisms for reporting this information at this time to encourage initial innovation by industry, but future updates may align towards best practices on presentation.”
It added that “no action will be required of any cloud service provider without supporting guidance based on this FedRAMP Standard.”
The new continuous reporting standard proposed by FedRAMP would establish “an updated continuous monitoring reporting process for FedRAMP authorized cloud service providers that requires cloud service providers to maintain direct relationships with their customers for reporting purposes and reduce the burden for continuous monitoring by agencies,” the program said in its call for comments.
“Additional information on how these requirements will change overall and align to emerging standards such as the Significant Change Notification Standard will be provided prior to final formalization of this standard,” the program said.
Comments are due by June 9 at https://forms.gle/f5Aiu8chadAAQj8S6.
The program’s latest request for comment on May 9 follows three separate comment requests issued last month that involve: replacing the existing Significant Change Request process; creating Key Security Indicators for FedRAMP Low authorization requirements; and proposing a FedRAMP Minimum Assessment Scope for assessing the security of federal information handled by cloud services that provide services to federal agency customers.