So last Friday I attended the FedRAMP (Federal Risk and Authorization Management Program) industry day and I have to give GSA credit for their approach with the “unveiling.” I want give a little background on what FedRAMP is intending to do first (try to keep up with the acronyms!) Government agencies wishing to procure services from a Cloud service provider (CSP), would leverage FedRAMP to find a CSP that is pre-authorized through the FedRAMP Joint Authorization Board (JAB.) In theory, this helps save time and reduces redundancies in effort due to the fact that the CSP would have a baseline of controls tested. In order for CSPs to become pre-authorized, the would need to procure the services of a 3rd Party Assessment Organization (3PAO – I move to pronounce this “3-pow.”) To read more about the characteristics, benefits, and overall process, check out the FedRAMP Page.
This is a great idea, but GSA has tried similar things before with their latest effort being the Risk Management Framework (RMF) Blanket Purchase Agreement (BPA) which was intended to standardize RMF services (for the traditional C&A.) This was part of their information systems security line of business (ISSLoB) effort. A few things that are working in FedRAMPs favor that were not in RMF’s:
- The amount of visibility the FedRAMP program has gotten in the past couple of years
- The amount of private industry support with vendors trying to find ways to logically C&A their cloud systems
- Government anticipation in leveraging emerging cloud technologies
- Most importantly, the overall NEED!
There are actually a few other differentiators but these are the major ones that stuck out to me. Anyway, I was surprised that more questions werent asked and am wondering if that’s a function of either a thorough understanding of FedRAMP, or lack thereof. The “unveiling” was good, but there were some pretty tall orders made, such as the fact that FedRAMP itself would improve real-time security visibility. O RLY?
There are still a couple of things that we are waiting for from the program, some more surprising than others. The Concept of Operations (CONOPs) is due 2/8 and the actual list of cloud controls by 1/27, with the latter being a pretty major milestone. The repository of authorization paperwork, however, is still going to be paper-based! There seems to be some difficulty in getting a location secure enough to store such a sensitive compilation of security information across many private industry vendors. Hmm… I wonder what the problem really is here…
As a quick aside, Matt Goodrich said something at one point that really made wonder about how the government is looking at RMF and continuous monitoring. He said that many agencies are looking at developing solutions for ongoing assessments and authorization, but then said that this is also what they call “continuous monitoring.” Yikes. I’ve long disagreed with the direction continuous monitoring was being taken as a concept. It is used almost exclusively as a vendor tool issue and network/asset visibility problem. I was able to get over this by thinking that the larger concept was something akin to ongoing authorization. To equate the two feels like taking a couple steps back. Now, I have no idea how accurate it is for me to speculate either way (that agencies do or do not equate the two), but there’s certainly a very important distinction to be made here. More on this in my next post, though.
Gordon Gillerman speaking at the industry day
The last thing about the whole FedRAMP program that I wanted to point out is that there is definitely a contingent of industry participants, the ones who would want to become 3PAOs, who seemed to have been frustrated with the complexity of the applications process. I gathered this from the publicly asked questions and the conversations I had and overheard. I would agree with GSA here that the process isn’t complicated, but it’s not a cakewalk either. What would be the point of FedRAMP if any company the conducted Security Tests and Evaluation (ST&Es) could be grandfathered in as an authorized cloud assessor without knowing some of the important things about cloud environments? The application process is designed to make sure the people who are claiming to know how to assess clouds actually do know a thing or two about it.
Edit: Reading the FedRAMP memo in greater detail, there are some interesting ways in which the required use of FedRAMP is outlined. So perhaps the most important differentiator is that this is actually a must.