FedRAMP puts government and cloud providers on the same page on security, and Director Ashley Mahan hopes it gives smaller businesses more opportunities to work more closely with the public sector.
The Federal Risk and Authorization Management Program, better known as FedRAMP, was established in 2011 by the Office of Management and Budget, authorizing the General Services Administration to run the program management office, to help agencies work more securely in the cloud. Agencies buying FedRAMP-approved cloud services can be confident that they’ll meet government security standards. Director Ashley Mahan spoke with FedTech about the program’s goals and accomplishments, and what agencies can expect in the future.
FEDTECH: How would you describe the primary function of FedRAMP?
MAHAN: FedRAMP serves an important security role. It bridges government to the private sector, enabling agencies to take advantage of modern, transformative and secure cloud products and services. The program also standardizes security requirements for the authorization and ongoing cybersecurity of cloud services, which enables agencies to leverage and reuse security authorizations on a governmentwide scale.
There are improvements in agencies’ understanding of the program, but there are still misperceptions. We have made a deliberate push over the past few years to augment our support and training to agencies. FedRAMP will continue to scale through agencies, and we want to enable the federal government to accelerate their adoption of cloud computing by maximizing reciprocity and diminishing authorization timelines.
As we look ahead, we are excited to be establishing a volunteer FedRAMP Agency Liaison Program among the agency community. The goals are to increase collaboration, promote a unified understanding of FedRAMP, institute formal feedback channels, enhance visibility into FedRAMP strategic initiatives and create an incredible team of FedRAMP experts across government.
FEDTECH: How has the program changed since its implementation?
MAHAN:The core mission and structure of the program have remained the same, but in the past four years, the program has gained a tremendous amount of traction. The program introduced FedRAMP Accelerated in 2016, an initiative designed to transform the Joint Authorization Board authorization process, which reduced JAB authorization timelines to less than six months, as well as FedRAMP Tailored, a new baseline designed for low-impact Software as a Service providers.
We have also seen a tremendous uptick in agency reuse. In the last four years, the number of authorizations reused by other agencies has increased by 300 percent. Currently, we are partnering with the National Institute of Standards and Technology and industry in developing the Open Security Controls Assessment Language (OSCAL), with the goal of automating the development of the security package, the assessment and reporting of security control information using a standardized machine-readable format based on XML and JSON.
Additionally, we have enhanced our training and outreach capabilities over the years. In fiscal year 2019 alone, we trained more than 11,000 participants from 45 agencies and 30 small businesses and startups. We are also increasing the use of virtual, on-demand training and videos and enhancing our web presence.
In recent months, the program has shifted into high gear, helping agencies transition to cloud technology in support of the increase in the remote workforce. Since March, the program has seen double the number of agency reusability requests for cloud products approved by FedRAMP and a 50 percent increase in meetings with agencies to discuss FedRAMP-related topics.
FEDTECH: Talk about your work with the Department of Homeland Security to help improve risk management.
MAHAN:To better align with real-world cyber risk and volatility, the FedRAMP Program Management Office (PMO) is working with DHS in using the .govCAR methodology to score controls within the FedRAMP moderate baseline against the NSA/CSS Technical Cyber Threat Framework. This research could fuel a threat-based approach to authorizations, which enables agencies to make risk-based decisions by focusing on security controls that protect against known and potential significant or consequential threats.
FEDTECH: What other initiatives are underway, and what’s the timeline for those?
MAHAN: We are ramping up on training and outreach activities for industry and agencies this year. We held our Agency Information System Security Officer Training Days in June, and we are planning additional training around in-depth security topics in August.
The number of cloud products authorized by FedRAMP
Source: marketplace.fedramp.gov, July 10, 2020
We’re also planning an event for our assessor community before the end of the fiscal year. If you are interested in attending, please send us a note: email@example.com.
By the end of fiscal year 2020, we hope to have the entire security package within the OSCAL. Draft versions of all the FedRAMP baselines and the System Security Plan were released for public comment at the end of 2019. The team has completed the Security Assessment Plan, Security Assessment Report and Plan of Action and Milestones and recently released draft versions and guidance documents. We also have plans to develop a few open-source tools to help industry and agencies use OSCAL.
FEDTECH: How does FedRAMP work with small businesses and smaller cloud providers?
MAHAN:Small businesses are bringing new and innovative services to the government, and at FedRAMP, we want to help agencies harness this innovation. The FedRAMP PMO is passionate about continuing to serve, grow and support this community.
We have seen several small businesses embrace FedRAMP Tailored, which was specifically built for Software as a Service. Additionally, we have launched training programs designed with small businesses in mind, including FedRAMP Small Business and Startup Meetups. We have also released a best-practices guide for small businesses that captures lessons learned and tips from small businesses that have gone through the process.
FEDTECH: How does FedRAMP coordinate with other federal IT security programs?
MAHAN:Government cybersecurity is a whole-of-government approach. FedRAMP, Trusted Internet Connections and Continuous Diagnostics and Mitigation are all important aspects of it. So are the efforts of other government agencies. As threats continue to evolve, FedRAMP and other government efforts will continue to respond to them.