The Federal Risk and Authorization Management Program (FedRAMP) is working on proposed changes to current continuous monitoring reporting standards and data repository standards and expects to release draft versions of those proposed changes in the May-July time frame.
That was the takeaway from an April 28 meeting of the program’s Rev 5 Continuous Monitoring Working Group, which was created last month as part of the program’s larger “20x” revamp effort.
The program revamp is placing a heavy focus on automation to speed the approval process for secure cloud services authorized by FedRAMP, and to make the process of obtaining program authorizations simpler, easier, and cheaper while continuously improving security.
As part of the 20x effort, FedRAMP created four new working groups to explore program improvements in the areas of continuous monitoring, automating assessments, applying existing frameworks, and continuous reporting.
At the April 28 Rev 5 Continuous Monitoring Working Group meeting, a FedRAMP official talked about two new standards currently in development.
The first involves changes to the program’s continuous monitoring reporting standard that would shift “continuous monitoring activities away from delivering paperwork to an information-driven approach,” according to materials provided by the working group.
A draft of the proposed change is currently in review with the FedRAMP Technical Advisory Group (TAG), and the program expects to release the draft for public inspection in the May-June timeframe.
“The goal is to develop an objective-driven assessment of continuing monitoring performance using multiple data points that can already be gleaned from your continuous monitoring requirements,” one FedRAMP staff member said during the meeting.
“Secondarily, we’re trying to get rid of the notion in the process of just tossing half a dozen continuous monitoring files over the fence to agency partners, all in specified formats and all requiring some level of analysis in order to glean insights or information,” the staff member said.
“This shouldn’t change the requirements that you have for continuous monitoring activities, but it should lower the administrative burden for cloud service providers, while also providing insights into the overall security posture and its hygiene for agency partners,” the staff member said.
The second effort involves changes to the current FedRAMP repository standards.
According to materials provided by the working group, those changes would shift new repository changes for low-to-moderate authorized cloud service providers (CSPs). In addition, “currently managed CSP repos can opt-in for early transition,” according to the working group.
Those proposed changes are current in internal FedRAMP development, with a public draft release expected in the June-July timeframe.
A FedRAMP staff member said the effort will drive at “developing the standard as a mechanism for CSPs to house their FedRAMP data in a secure, accessible manner, moving away from our previous centralized FedRAMP managed repository.”