It could be a breakthrough year for the Federal Risk and Authorization Management Program (FedRAMP). The SolarWinds attack of late 2020 brought a nearly overnight shift in the nation’s attention to securing its data networks and IT supply chain. In fiscal 2021, agencies reused more FedRAMP-authorized cloud security packages than ever before – a 45 percent increase from the prior year. The White House’s 2021 Executive Order on Improving the Nation’s Cybersecurity has brought more focus to FedRAMP solutions, calling for increased documentation and reporting, expedited adoption of Zero-Trust architecture, improved incident response, and further modernization of the program. This spotlight on FedRAMP means that agencies, legislators, and private contractors are making moves to further refine what it means to be FedRAMP authorized.
Since the SolarWinds attack, officials are seeking ways to tighten FedRAMP requirements and closely monitor overseas vendors in the IT supply chain. Legislators have expressed concerns over the dangers of federal cloud systems that are reliant on software code originally engineered overseas, particularly code engineered by geopolitical rivals. The Federal Secure Cloud Improvement and Jobs Act, introduced in Congress in late 2021, would codify the FedRAMP program into law, as well as require further assessment and possible restriction of software code with overseas origins that is used by authorized cloud products.
Amidst these initiatives, FedRAMP’s goal in 2022 is to increase automation to improve its business processes. Much of this work is focused on the adoption of Open Security Controls Assessment Language (OSCAL), a machine-readable framework that will standardize authorization packages and streamline reviews. Creating automated authorization packages will enable cloud service providers (CSPs) to validate their systems before submitting them to FedRAMP for review. These packages will also help drive continuous monitoring of CSPs as well as help third-party assessment organizations (3PAOs) speed up processes when certifying FedRAMP standards for cloud products.
Another FedRAMP goal this year is to update the baseline and test cases to NIST’s security and privacy controls, which have undergone a major revision over the past year. The FedRAMP Project Management Office (PMO) is also partnering with DHS, CISA, and the .govCAR methodology of conducting threat-based assessments of cyber capabilities to create a new scoring system based on the efficiency of detection and response to real-world threats. This initiative aims to speed up the FedRAMP authorization process by focusing on the current threat landscape rather than taking a broad-based approach that may require excess resources.
On IT and data modernization initiatives prior to the White House’s Executive Order (EO) on Cybersecurity, Andrew Churchill, VP of Federal Sales at Qlik, said, “Showing that we could solve a problem was easy. Helping federal agencies figure out how to get through all of the IT and security approvals to put that into production was something completely different.”
The White House’s EO has demonstrated a shift in how the federal government approaches cybersecurity. It provides clearer objectives, which not only demonstrates urgency but prepares agencies to set priorities and meet deadlines. Furthermore, the increased focus on strengthening the FedRAMP program has generated momentum among both agencies and private contractors, which will help the federal government execute its cybersecurity initiatives much faster and more deliberately.