FSCAC FedRAMP discussion paper for May 25, 2023 meeting

Purpose  

To inform its exercise of oversight and statutory responsibilities, OMB seeks input regarding specific challenges and opportunities related to the Federal Risk and Authorization Management Program. In particular, OMB is looking for meaningful feedback from Federal Secure Cloud Advisory Committee members on improving FedRAMP’s effectiveness at ensuring agile and secure use of the commercial cloud by the Federal Government. 

Background

FedRAMP was established in 2011 by the Office of Management and Budget to safely accelerate the adoption of cloud services by federal agencies, and to help those agencies avoid duplicating effort by offering a consistent and reusable authorization process. Since its establishment, FedRAMP has operated by partnering with agencies and third-party assessors to identify appropriate cloud services, evaluate those services against a common baseline of security controls, and create authorization packages that enable agency authorizing officials to more easily make informed risk-based decisions concerning the use of those cloud services.

At the beginning of the FedRAMP program, the federal government had a significant focus on securely facilitating use of large-scale commercial Infrastructure-as-a-Service providers, which offer virtualized computing resources that are natively designed to be more scalable and automatable than traditional data center environments. In the years since, the commercial cloud marketplace has grown, especially in the area of Software-as-a-Service).  The COVID-19 pandemic further accelerated the growth of the SaaS market, as shifts in the workplace landscape led more organizations relying on remote collaboration tools for their workforce and expanding the online services they provide to their customers.

Recognizing the value that FedRAMP has provided to Federal agencies and to industry, but with the clear need to update the program in response to a changing industry and offerings landscape, Congress passed the FedRAMP Authorization Act in December 2022 as part of the annual Defense Authorization Act. As part of that legislation, OMB is tasked with issuing “guidance describing additional responsibilities of FedRAMP and the FedRAMP Board to accelerate the adoption of secure cloud computing products and services by the Federal Government.” 

Discussion

The purpose of the FedRAMP program is to increase the Federal adoption of cloud services, while focusing cloud providers and agencies on the highest value work and eliminating redundant authorization and continuous monitoring efforts.

To achieve the above, OMB wants to grow the FedRAMP marketplace, simplify the process for industry and agencies alike, promote effective risk-management, and leverage opportunities to incorporate automation into the FedRAMP process.  Automating key components of the FedRAMP enables acceleration of the timelines to achieve authorization, promote re-use, as well as opens doors to future continuous monitoring capabilities to enable effective and timely risk-management.   

Ultimately, OMB believes FedRAMP should be able to grow the FedRAMP marketplace to include thousands of different cloud-based services over time, accelerating key agency operations while allowing agencies to directly manage smaller IT footprints and better focus resources on their core missions.

Specific areas where OMB is seeking input to expand opportunities and address challenges surrounding the FedRAMP program

OMB requests that FSCAC members review this paper ahead of the meeting and welcomes verbal responses members have to any of the questions during the meeting.

Governance and Authorizations. FedRAMP has been governed by a Joint Authorization Board (JAB) consisting of representatives from DHS, DoD, and GSA.  Each of these agencies has established an internal program office, led by technical representatives, to perform key FedRAMP functions.  These functions include reviewing authorization packages, conducting continuous monitoring, and reviewing FedRAMP procedure documents, among many other activities.  The JAB approves each provisional authorization issued to an individual cloud service provider, and each JAB member has a team that supports ongoing review and monitoring processes on a per-CSP basis.

The FedRAMP Authorization Act establishes a FedRAMP Board, replacing the JAB, that includes representatives from DHS, DOD, and GSA and up to four additional members.  In line with the Act, OMB is looking at expanding the Board to enhance agency representation and better integrate the program with the Federal community.

The FedRAMP Program supports multiple forms of authorizations to promote reusability while accommodating different Federal Government use cases.  An important priority (and challenge) of the FedRAMP program is to support flexibility while promoting reuse and maintaining a general trust in any authorization associated with FedRAMP.

Therefore, OMB is considering adjustments to the FedRAMP authorization model, with the goal of having all FedRAMP authorizations held to a well-understood set of security principles, and creating more efficiency in authorizations issued jointly by multiple agencies.  More generally, the FedRAMP program is expected to consider feedback from industry and agencies on where improvements can be made, including new authorization structures.  To assist the program in those efforts, OMB is seeking input responsive to the following questions:

• What are the most important areas for the FedRAMP Board to focus on when setting a strategic direction for the program and making the program operations more efficient?
• What are potential ways to scale the FedRAMP program to increase reuse and the overall number of CSP products?
• To both CSPs and agencies: what areas of the process require the greatest investment of time and/or money?
• In addition to the current model of agency authorizations and JAB provisional authorizations, what other types of FedRAMP authorizations could be helpful in meeting program goals?  
• Are there major areas of cybersecurity, including the risks posed by disruptive technologies, that are not yet incorporated into the FedRAMP process but should be?  
• What would be the impact of having the FedRAMP Board review and approve requirements governing how authorizations are performed, rather than directly performing and approving each joint authorization?
• What practices or policy changes might encourage or ease the process of small businesses seeking to receive FedRAMP authorizations for their products or services? 

Scope and Applicability. FedRAMP is broadly intended – in statute and in its original OMB mandate – to standardize Federal agencies’ approach to using commercial cloud.  However, cloud products (especially SaaS) have become more diverse over time, so it is not always clear within the Federal environment how to consistently and appropriately apply FedRAMP requirements.  This uncertainty can result in differing formal or de facto policies across agencies, weakening the governmentwide consistency that FedRAMP is intended to promote.  This dynamic can also cause agencies not to seek FedRAMP authorization for the use of a service that may merit one, or to require FedRAMP authorizations for services that either have negligible security impact or do not store Federal information.

OMB is considering how to determine and define which kinds of cloud-based services should be within the scope of FedRAMP. 

• What categories of externally hosted cloud services should be included within or excluded from the scope of FedRAMP? 
• Are there specific usage scenarios for cloud-based services that the FedRAMP program should consider in or out of scope? 

Reciprocity and flexibility in compliance regimes. Today, FedRAMP relies on applying a baseline derived from the set of security controls described in NIST Special Publication 800-53, as well as generally applying other security requirements for Federal agencies, such as policies and directives issued by OMB and DHS’s Cybersecurity and Infrastructure Security Agency (CISA).

OMB is seeking feedback on the appropriateness and efficacy of accepting security artifacts and assessments based on other widely used security frameworks and compliance regimes. 
What industry or alternate security frameworks, if any, should the FedRAMP program consider leveraging to help accelerate and reduce the burden of obtaining a FedRAMP authorization?  Should this differ depending on the type of FedRAMP authorization? How should the FedRAMP program consider potential gaps in mapping controls and security requirements between frameworks?

Automation. The use of automation throughout the FedRAMP lifecycle is essential to ensuring effective operations for both Federal government and industry partners. OMB is working with GSA counterparts to consider efforts to automate and streamline all parts of the FedRAMP authorization process including the development of security assessment plans, security assessment reports, and plans of action and milestones.

OMB and GSA are also collaborating to digitize and streamline additional documentation required of vendors, including small businesses. Determining the technical means to automate system security documentation, in addition to other FedRAMP processes, is a key component of the FedRAMP modernization efforts. Additionally, continued research of emerging technologies and state-of-the-industry practices will be necessary to future automation efforts in supporting program growth. Questions for discussion include:

• What areas of the current process can benefit most from automation?
• What parts of the FedRAMP process currently require redundant or manual work?
• What industry practices can be leveraged to accelerate the automation of security requirements?  
• What automation practices can best support the participation of small businesses in the FedRAMP Program?
• What parts of the FedRAMP process should not be automated and why?
• What needs to happen to enable baseline security controls to be consistently validated in an automated manner and the results captured in machine-readable data? Are there controls that cannot currently be validated in this way? 

Continuous monitoring. Agencies are required to conduct continuous monitoring activities on IT systems they use, including cloud services.  Currently, cloud service products and services that are authorized by agencies and also have FedRAMP authorizations receive little continuous monitoring from the FedRAMP program office, with the JAB providing continuous monitoring support for offerings approved centrally through the JAB. With the focus on new and flexible authorization models for cloud products and services, OMB is seeking input on enabling FedRAMP to take a more direct posture in providing continuous monitoring of FedRAMP authorized offerings that will enable agency authorizing officials to make risk-based decisions. 

• What aspects of the continuous monitoring process are the most burdensome to additional adoption of cloud products and services by Federal agencies?  
• Could standardization, centralization, and automation of some of those functions reduce costs, improve trust, or expand reuse of offerings?  
• Are there any drawbacks or specific obstacles to the FedRAMP Program taking a larger and more direct role in continuous monitoring of cloud solutions? 
• Are there any advantages to the FedRAMP Program taking a more direct role in continuous monitoring of cloud solutions? 

Permitting third-party-led authorizations. OMB welcomes feedback on whether and how the Federal government could permit private sector third-party organizations to perform core authorization and assessment functions that today are performed by agency sponsors, the FedRAMP program, or the JAB. 

For clarity, this proposal is not necessarily based on the current FedRAMP Third Party Assessment Authorizations (3PAO) process and would not necessarily involve the companies that currently function as 3PAOs.  This prompt is intended to holistically consider what role the private sector could play in the FedRAMP authorization process to effectively assess the security of cloud services and accelerate core processes. 

• At a high level, how could/should the federal government incorporate third party private sector actors into the authorization process?
• If the federal government were to allow companies to perform more of the authorization work associated with a FedRAMP authorization, how should GSA manage its accreditation and oversight of the process?