The Federal Risk and Authorization Management Program (FedRAMP) is aiming to maximize its use of existing commercial security frameworks and reduce redundant documentation requirements as part of its “20x” program revamp, program officials said today.
Those officials explained that goal at the initial meeting of the program’s new Applying Existing Frameworks Working Group. The working group is pursuing three initial goals.
“The first is to explore existing commercial standards to determine if any would be applicable to Federal security requirements,” one program staff member said. “To the greatest extent possible, we want FedRAMP to rely on existing best practices and commercial security frameworks.”
“The second objective is to identify any gaps that may exist between existing commercial frameworks and FedRAMP requirements, so that any additional tasks are focused only on those requirements not already met,” the staff member added.
“The third objective is to investigate automation potential, and if any frameworks have existing automation support,” they said.
Today’s Applying Existing Frameworks Working Group kick-off session – the FedRAMP program’s third such new working group launch since March 31 – is making good on the aims announced last month to revamp the program that evaluates and certifies the security of cloud-based services used by Federal government agencies.
The FedRAMP 20x revamp was unveiled after the program reduced its workforce by letting contracts expire for about 80 contractor employees, leaving it with approximately 18 full-time government employees working for the program, which is administered by the General Services Administration (GSA).
The hallmarks of the revamp effort include placing a heavy focus on the use of automation to speed approval processes and working more extensively with industry to “develop a new, cloud-native approach to authorizations” and make FedRAMP authorizations “simpler, easier, and cheaper while continuously improving security.”
On March 31, the program launched its new Rev 5 Continuous Monitoring Working Group, and unveiled plans to unwind the program’s historical role of providing continuous monitoring for cloud services authorized by FedRAMP.
And on April 2, the program kicked off its new Automation Community Working Group that is exploring the possibility of creating key security indicators (KSIs) that could help the program more rapidly evaluate the security of cloud services.