FedRAMP Modernization Overview
December 14 | 2023
We are excited to share with you the concrete steps we are taking to upgrade technology and processes to meet the future needs of FedRAMP’s stakeholders. These steps are in response to the legislation codifying FedRAMP, and are in alignment with the Office of Management and Budget’s Modernizing the Federal Risk and Authorization Management Program (FedRAMP) draft memo. The FedRAMP PMO introduced this modernization approach at the first FedRAMP Office Hours, held on October 25, and will be building on these ideas over this fiscal year and beyond.
The goal of FedRAMP Modernization is to improve federal cloud cybersecurity by:
- Reducing the time, cost, and effort associated with initial assessments of commercial cloud service offerings (CSOs)
- Improving the customer experience interacting with the FedRAMP authorization and continuous monitoring process
- Increasing the quality and accuracy of the security artifacts and documentation through standardization
- Refining the continuous monitoring program, which will provide a clearer picture of a CSO’s cybersecurity posture
FedRAMP Modernization is built on three pillars: Technology, Processes, and People
To address the “technology” piece of modernization, FedRAMP developed a systems architecture that formalizes requirements for tools that will automate and standardize documentation submission and continuous monitoring for all stakeholders. This systems architecture serves as the foundation for building and growing near and mid-term automation capabilities across FedRAMP. To support these capabilities, FedRAMP is currently working collaboratively across Technology Transformation Service (TTS) seeking a suitable OSCAL1-based technical solution. Future communications will provide more information on FedRAMP’s automation goals and activities and what stakeholders can expect.
The “process” pillar is about evaluating and addressing processes used to conduct security assessments, continuous monitoring, and back-end processes associated with program operations. As part of this effort, FedRAMP is undertaking a collaborative initiative to evaluate and optimize the flow of security packages in and through FedRAMP to address areas where backlog may occur and reduce the authorization timeline and associated costs for all stakeholders.
The “people” part is focused on strengthening collaboration, engagement, and adoption across the stakeholder community (agencies and commercial partners) to identify and then meet their needs while achieving the program goals to grow the FedRAMP Marketplace, transform processes, and promote training and knowledge sharing. Engagement will include our continued Agency Liaison and 3PAO listening sessions, Data Bytes sessions to discuss OSCAL, and Office Hours sessions.
What this means for you
This is part of FedRAMP’s continuous efforts to meet the needs of our stakeholders at scale. Building upon a decade of program growth and success, the FedRAMP Modernization effort will enable FedRAMP stakeholders to more easily create, submit, and take in assessment and continuous monitoring documentation. Our aim is to reduce the burden on stakeholders through the use of OSCAL-enabled tools that will save time, create efficiencies, and reduce costs.
Stakeholder engagement will be necessary for our community to make a fundamental mindshift in order to take advantage of the “technology”, “process”, and “people” upgrades FedRAMP is making. FedRAMP intends to support you through training and guidance as we undertake this modernization journey with you.
We encourage you to stay in touch by emailing questions to info@fedramp.gov. We also encourage you to submit official comments on the Federal Register site by December 22.
-
NIST, in collaboration with industry, is developing the Open Security Controls Assessment Language (OSCAL). OSCAL is a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. ↩