The Federal Risk and Authorization Management Program, better known as FedRAMP, authorizes cloud service providers to work with agencies. However, once that approval process is finished (FedRAMP is still working on ways to streamline it), FedRAMP, other agencies and cloud vendors must stay vigilant and continuously monitor the security of that authorized cloud service.
FedRAMP’s staff, part of the General Services Administration, spends a large chunk of its time and resources monitoring services and it hopes to change that in 2018.
By streamlining the continuous monitoring process, FedRAMP can free up its own resources as well as those of agencies and communication service providers (CSPs). FedRAMP Director Matt Goodrich says the program is meeting with vendors to try and figure out ways to improve and potentially automate aspects of the monitoring.
“We spend about 75 percent of our security budget in continuous monitoring in my office alone, and it is too much for any agency or organization to maintain,” Goodrich said at a Dec. 7 Digital Government Institute Cloud Computing Conference, according to GCN. “We are looking to reduce the burden of continuous monitoring — not only in our office but for our vendors as well.”
Why FedRAMP’s Continuous Monitoring Must Be Improved
At the event, Goodrich said that “FedRAMP is not a project like other compliance regimes can be. FedRAMP is a program,” according to FedScoop.
“Once you get the authorization, that’s just the beginning of the work,” he added. “You have to continuously monitor your system and continuously make sure that system is maintained, and its risk posture is maintained at an adequate level.”
To improve the monitoring process, FedRAMP has been looking at alternatives and potential ways in which the process can be automated. That would then free up the program to authorize more cloud services for agencies to use, Goodrich said, according to FedScoop.
“We are having some other meetings with vendors as well to talk through ways to automate risk reductions and things like that as well,” he said. “But we believe if we could reimagine the way we did our authorization process and reduce it by 75 percent in time, we think we can use that same smart brain power to reduce the time and money on continuous monitoring as well.”
Continuous monitoring involves “periodic reporting for scanning … change management and incident response,” Goodrich said, GCN reports. “Each of those has unique elements in it, so we are looking to address portions of it rather than doing a full-scale redesign all at once.”
FedRAMP’s continuous monitoring redux will likely be phased in gradually over the course of 2018 to individually address those different aspects.
FedRAMP Aims to Make the Cloud Authorization Process Easier
FedRAMP has taken steps in recent months to make the entire authorization process easier for agencies and cloud service providers.
In November, the program released an “Agency Authorization Playbook” that combines best practices and tips for agencies as they work with CSPs with step-by-step guidance that agencies can follow to implement the process to grant an agency authority to operate.
“We’ve seen agencies contend with a dramatic increase in demand for cloud service providers in their own agencies — this actionable playbook is an attempt to codify what we learned through our own processes and the nearly 1,000 conversations we have had with agencies and CSPs related to their FedRAMP experience over the last year,” Goodrich told GCN. “We view the playbook as a value-add for both agencies and customers that will reduce the time and cost associated with cloud adoption.”
And in late September, FedRAMP announced the release of the FedRAMP Tailored Baseline for CSPs with Low-Impact Software as a Service systems. FedRAMP Tailored is designed to speed up the approval on cloud-based services that are low-risk for use, including collaboration tools, project management applications and tools that help develop open source code.
Goodrich said FedRAMP Tailored has roughly 36 controls, and an average authorization time of four to eight weeks, Federal News Radio reports.