Federal technology officials on Thursday said that while the General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) has its limitations, they are hopeful that coming changes to the program will provide improved risk visibility.
FedRAMP aims to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal agencies.
The program has undergone big changes this year, publishing a new roadmap in March detailing how FedRAMP will evolve in 2024 and 2025.
In July, the White House’s Office of Management and Budget (OMB) released long-awaited guidance to overhaul FedRAMP, replacing the policy created for the program when it began in 2011. The guidance aims to reduce pain points and bolster FedRAMP’s role as a cornerstone of Federal cloud security.
“I think the FedRAMP program is a solid program [that has] provided good value for the last decade-plus to government,” Matt Smith, the senior advisor to the chief information security officer (CISO) at the Department of Homeland Security (DHS), said during a Nov. 7 event hosted by Federal News Network.
“But I think there’s a transformation going on there,” Smith said. “I’m hopeful that the automation that’s being enabled gives API-type opportunities for government to share information – agency to agency, agency to FedRAMP program, FedRAMP program to CSP [to] third party assessors.”
A big emphasis of the July guidance is streamlining FedRAMP processes with automation. The FedRAMP team is looking to utilize automation to alleviate the documentation burden and for continuous monitoring.
Smith explained that security data should be able to flow freely, populating the dashboards and risk pictures that the Federal government is monitoring every day.
“FedRAMP is poised to be that information sharing program to lift all the ships,” he said. “DHS is heavily invested in the program … and looking forward to that ability to enable that risk picture and some of that ongoing authorization and continuous monitoring enablement across agencies that maybe aren’t as mature as DHS.”
“There’s plenty of government that’s going to rely on FedRAMP to give them the visibility into the risk that they have or that they can’t provide themselves,” Smith added.
Lynette Sherrill, the CISO at the Department of Veterans Affairs (VA), agreed with Smith’s comments, adding that “FedRAMP is making a complete shift.”
“That program is really trying to revamp itself and become a lot more automated. We’re actively working with them as well on OSCAL and getting real-time feeds of that risk picture,” Sherrill said.
However, Sherrill noted that she’s unsure if FedRAMP will be able to feed the “day-to-day risk picture” – especially for an organization as large as the VA.
“While the FedRAMP is a critical piece of our compliance side, I don’t know that it can feed that day-to-day risk picture. And I don’t know that they even have that in their sights for a real, near-term future,” Sherrill said. “That day-to-day risk picture, it becomes super critical.”
“I’ve got 1,200 systems in my inventory, having just 50 percent of those get an ATO really doesn’t tell me what the risk picture is for my enterprise, right? I mean, when you start feeding all that data up, what does that enterprise risk picture look like and what can my SOC begin to take action on about the real risk in our environment in that moment, that hour, or that day,” Sherrill explained. “That’s where we’ve got to get to.”