There is little disagreement among agency and industry technology leaders that the overhaul of the cloud security program known as FedRAMP is necessary and appropriate.
For much of the last decade, experts have mostly agreed with the spirit and intent of the Federal Risk Authorization and Management Program — to standardize and make the use of secure cloud services easier.
At the same time, over the last decade since the Office of Management and Budget launched FedRAMP in 2011, challenges have emerged like barnacles attached to a boat.
In many ways, the new draft FedRAMP memo is symbolically scraping those crustaceans off the bottom of the program to increase speed and reduce the burden on agencies and industry alike.
“I think this will be a huge improvement to FedRAMP. The improvements I’m talking about are who is managing the cloud security approvals, the resources for [the General Services Administration] and the end results if it is done in standard way,” said one agency chief information officer, who requested anonymity because they didn’t get permission to talk about a draft memo. “FedRAMP is a good program. I love the idea of a standard, but over the years there are concerns about the risk appetite among agencies depending on their missions and data. There always are concerns about whether the sponsoring agency or the Joint Authorization Board (JAB) has provided right risk assessment or a decision over the amount of risk. There usually is a pretty good amount of risk assessment and identification, and what decision you make over that. The way the memo is written, there will be a group of subject matter experts working that to come up with a more consistent way to determine and assess risk. That will help agencies make their own assessments and determine whether additional controls are needed.”
The CIO was one of six federal and industry experts to weigh in on the draft memo about what parts hit the target and what parts may have fallen a bit short. OMB is accepting comment through Dec. 22.
FedRAMP draft more than a patch
By and large, the experts applauded the draft memo for taking on some of the systemic problems with FedRAMP. At the same time, however, all wanted to see more details about how GSA’s program management office will implement the new approaches outlined in the draft memo.
Willie Hicks, the public sector chief technologist for Dynatrace, summed up why many agency and industry experts are excited for the new approach to FedRAMP after years of smaller changes like FedRAMP Ready or Tailored.
“I think those were attempts to make the process easier, more attainable for more companies and software-as-a-service (SaaS) providers, but, for lack of a better term, they were almost like patches or Band-Aids. They really didn’t address the fundamental problems,” Hicks said in an interview. “When I say problems, I go back to originally what FedRAMP was being geared toward: the infrastructure- and platform-as-a-service type of offerings and not as much geared towards SaaS. I don’t think it accounted for a lot of the problems that we see today, especially when you look at the vast number of SaaS platforms out there.”
When OMB released the draft memo, Drew Myklegard, the deputy federal CIO, specifically called out SaaS as one of the driving factors for these changes. Out of the 321 current FedRAMP authorized cloud services, 286 are SaaS, and another 125 are in process or in the ready stage. This is out of a total of 453 cloud services in all three stages in all three service types.
But experts say to get many of the small or medium businesses into the program, FedRAMP must address the cost and time commitment. By some estimates, to get a moderate authorization, it can cost several hundreds of thousands of dollars and take 12-18 months — if you are lucky.
OMB, recognizing the increasing desire by agencies to use SaaS, is focused on using automation and continuous monitoring to reduce cost, and accelerate time to approval without losing any rigor.
John Harmon, who leads the Elastic U.S. public sector cyber solutions business, said automation should help drive down costs and should make things go faster to let more SaaS companies into the market.
“How do we get SaaS-based companies excited about getting FedRAMP? I hear more small companies who don’t want to do it because it’s just too much of a headache, too expensive for them to do. And for any kind of new innovation, it’s a lot to ask,” Harmon said. “How do we make sure your federal stack is like your commercial stack? I’m really curious as to how much that could be done and honestly that’s one of the biggest things in the memo. That, plus the automation piece, if those things are really figured out properly that could solve making sure everything goes a little bit faster because it really is the problem.”
Automation is more than technology
The automation of the assessments and of continuous monitoring consistently came out as part of the memo experts lauded.
Jason Weiss, the chief operations officer of TestifySec, a software startup focused on securing the software supply chain, and former Defense Department chief software officer, said automation of controls and continuous monitoring also must include the reeducating of chief information security officers, authorizing officials and others about how these processes work.
He said the use of Open Security Controls Assessment Language (OSCAL), which is something FedRAMP has piloted, could be a key piece to this automation effort.
“The devil is in the details and the number of tools that support OSCAL, and more importantly, the number of tools across the federal government that can actually integrate and share that information,” Weiss said. “I think the challenge with the automation is if somebody uploads a machine readable format like OSCAL to FedRAMP, where is that going to be stored in the FedRAMP environment? How does a member of [the departments of Defense, Veterans Affairs or Homeland Security] gain access to that so that they can ingest it into their internal systems, and actually make sense and make a risk informed decision?”
He added figuring out the transparency and visibility through OSCAL or other machine readable formats will really affect the change most people want.
The other hot topic during several conversations revolved around the moving to the FedRAMP board and way from the JAB. Similar to the Technology Modernization Fund (TMF) board, the FedRAMP board will include seven senior officials from across the government including OMB, GSA, DHS and DoD who will establish requirements and guidelines for security assessments of cloud services.
One agency CIO, who called themselves a reluctant user of FedRAMP, said the restructuring and augmenting of the governance process is one of the most important changes. The CIO said the JAB started out strong, but over the last few years, whether it was the pandemic or other reasons, it’s been a challenging organization that hasn’t been agile as it needs to be.
Future of JAB authorizations unclear
Stephen Kovac, chief compliance officer and head of global government affairs at Zscaler, added there are some concerns about losing the marquee of the JAB authorization and what that would mean to folks who have spent millions of dollars to earn that approval.
Underneath the new FedRAMP board will be the Technical Advisory Group (TAG). Six subject matter experts will lead the TAG to provide additional expertise to FedRAMP and advise on the technical, strategic and operational direction of the program
The first agency CIO said the TAG also will be an important change because, they hope, it will come up with a more consistent way to assess risk and one that agencies can easily understand and accept to relieve some of the burden that has built up over the years.
The second CIO added the TAG should help bring more consistency to third-party assessors by identifying areas to focus on.
“How much risk am I really accepting with the cloud security package? We’ve got to the point where teams have to go through and evaluate how the third party assessor assessed things, and almost every time in the mapping of vulnerabilities to the security controls it was completely different,” the CIO said. “I want to know that if something has a FedRAMP authorization, I want to know I can trust it and don’t have to worry about it.”
Another common theme that emerged among experts is while the draft memo is a good start, they want to see more.
While it could be another 60-to-90 days until OMB finalizes the memo after the comment due date, government and industry experts say they are looking for some sort of strategy or implementation plan from the FedRAMP program management office.
Jim Rivas, the CEO of the Cloud Security Alliance, said a key metric he will be paying attention to over the next year or more is an increase in the number of cloud providers getting through the low and moderate accreditation process.
Zscaler’s Kovac added he’d like to see more details about where the Cybersecurity and Infrastructure Security Agency fits into this discussion. There is little to no mention of CISA specifically, and Kovac said as CISA’s role in cybersecurity management and oversight has increased significantly over the last five years, leaving them out would be a grand oversight.
Finally, the second agency CIO said they will be looking for better interoperability and collaboration among agencies and the FedRAMP program office, to further decrease burdens of time and increase reciprocity.
“One challenge I’ve seen is not all agencies approach things the same when it comes to cloud services. Some are more mature and if the service they wanted couldn’t go through the JAB, it could go through the agency authorization process. While other agencies are less mature and if a service is not FedRAMP authorized, forget it, they will not use it,” the CIO said. “I would like to see more education and shepherding of the process to ensure the approach is consistent whether the cloud services goes through the JAB or agency authorization process. I think the enhanced guidance makes it consistent for all vendors too; as some say, one agency is easier than another.”