A senior General Services Administration (GSA) official said today the agency is supportive of the primary aims of a new report recommending steps to modernize the Federal Risk and Authorization Management Program (FedRAMP), which provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
The report issued by the Center for Cybersecurity Policy and Law features a dozen recommendations to modernize FedRAMP. Among them are:
- Identifying FedRAMP controls that can be automatically assessed for all systems and implementing a process of automated certification against those controls;
- Continuing efforts to develop fully automated standards for security assessments;
- Updating the FedRAMP Security Assessment Framework to make it consistent with the National Institute of Standards and Technology (NIST) Cybersecurity Framework;
- Developing dashboards for real-time monitoring of government cloud computing environments;
- Creating a shared service center to consolidate and standardize the cloud ATO (authority to operate) review process;
- Accelerating adoption of “ATO-in-a-day” projects;
- Making a framework for grouping multiple agencies with similar risk profiles to simplify cross-agency acceptances of ATOs;
- Providing more clarity and guidance for reciprocal acceptance of cloud ATOs;
- Creating compliance pathways to make it easier for cloud service providers with new or updated technology to sell to Federal customers;
- Establishing and reporting ATO-related metrics via annual FISMA reporting; and
- Studying how to accelerate the secure adoption of internet of things (IoT) and artificial intelligence (AI)-enabled cloud services and software.
“Substantially we are in agreement with the report,” said Anil Cheriyan, Deputy Commissioner of GSA’s Federal Acquisition Service and Director of its Technology Transformation Services organization, at an event held to unveil the report’s findings.
“Our job is to dig into it further” and consider practical approaches to the report’s aims, Cheriyan said. He added, “we would love to take a leadership role” in advancing the report’s recommendations.
Speaking more generally of the FedRAMP program, Cheriyan said GSA’s main priorities are to further modernize and streamline the government’s use of secure cloud solutions, promote reuse of services that have won FedRAMP authorizations, and increase the number of cloud service providers using the program and the speed at which they receive authorizations.
Some of GSA’s current efforts in that direction involve increasing resources for training Federal agencies on reuse, and working with agencies to establish FedRAMP liaisons to make the process work better. As a mark of progress, he said reuse rates have climbed substantially since 2018, and that 175 service providers are currently authorized.
“I believe we are turning a corner” with the program and “making changes that make a difference,” he said, while also acknowledging that “changes need to happen faster.”
“I’m tremendously excited by some of the ideas in this report,” said Matthew Lira, White House Special Assistant to the President for Innovation Policy and Initiatives, at today’s event. “FedRAMP has a tremendous role to play” not only today but in the emerging age of AI and IoT, but also needs to evolve, he said.
The aims of the FedRAMP report released today also fall in line with program efficiency gains envisioned by the FedRAMP Authorization Act that passed the House earlier this month. The legislation sponsored by Rep. Gerry Connolly, D-Va., would codify the program into law and take a number of other actions including establishing a presumption of adequacy for FedRAMP authorized cloud services, encouraging further automation of the FedRAMP process, and authorizing $20 million in annual funding for the FedRAMP program management office and Joint Authorization Board.
The report’s authors said today the recommendations were developed with the input of “quite a few” Federal agency officials including policy, authorization, and security officials.