The Federal Risk Authorization Management Program – better known as FedRAMP – is three years old, as of December 2014, and the program’s director, Matt Goodrich, told attendees of the Advanced Technology Academic Research Center’s Cloud Computing Summit there is now a roadmap laying out the program’s goals over the next two years.
“There are three main tenets to the roadmap,” Goodrich said. “Objective 1 is to increase stakeholder engagement, increase the number of agencies implementing FedRAMP.” There is no single authoritative source of information on which agencies are using the cloud, he said, so in the next six months “we’re going to create something that we consider a good baseline.”
During that six months, the PMO also will be creating a practical implementation guide that can be used to initiate assessments and authorizations for cloud services, he said.
Objective 2 is to increase cross-agency collaboration.
“We want to create a framework where two agencies using the same cloud [can work together],” Goodrich said, “whether it’s how to implement the new PIV environment, or going through an authorization, or implementing continuous monitoring.”
To get that off to a good start, also in the next six months the PMO will publish a draft multi-agency authorization methodology that follows the FedRAMP Security Assessment Framework, he said.
Objective 3 is increasing agencies’ understanding of what FedRAMP is, he said. The program website will be relaunched, probably in March, and will include training segments, “so agencies and cloud providers can really understand what FedRAMP is.”
The roadmap includes a host of specific tasks to be accomplished over six, 12, 18, and 24 months. For example, the program office will be issuing guidelines that address inconsistencies for security assessment activities, methodologies, and artifacts for Third Party Assessment Organizations (3PAOs) within the next six months. The requirements will be applied to the 3PAOs in 12 months, he said.
The program office will be looking at how to reuse industry standards, such as those for FISMA, HIPAA, or Security Operations Centers.
“If someone just went to a data center for assessment for a SOC, do we really have to do it again for FISMA?” Goodrich said. “There are a lot of details that have to be figured out … but if somebody is doing something for compliance in security, we want to be able to reuse that.”
The program office will be establishing additional baselines, Goodrich said. A draft “high baseline” that maps security areas – such as access control, risk assessment, system and information integrity, and identification and authentication, to name a few – against the security controls in NIST’s 800-53 Rev. 4 catalog has been released for comments, due by March 13.
FedRAMP also is looking to establish a framework for data and workflow automation, he said.
“How can we automate the creation of documentation, change it in one area and have the change [ripple through] the documentation?” he said. “We’re creating a draft of those automation requirements … There are tools out there that do [this]. If you have one of these tools, this is what we expect out of it.”
Goodrich said the PMO would be scheduling an industry day on the topic of automation tools.