Skip to content

Commit

Permalink
Update 2024-03-28-a-new-roadmap-for-fedramp.md
Browse files Browse the repository at this point in the history
added cisa link
  • Loading branch information
shivaalipour authored Mar 28, 2024
1 parent 8040675 commit e0bb9ea
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion _posts/2024-03-28-a-new-roadmap-for-fedramp.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ While SaaS applications are used in government, and FedRAMP does have some in it
<h4>Our roadmap contains some specific initiatives we’re undertaking to make concrete progress against these goals:</h4>
1. <b>An agile approach to change management</b>. FedRAMP needs to enable agile software delivery of security improvements and other features. To do this, we plan to replace the “significant change request” process with an approach that does not require advance approval for each change. We’ll start by piloting a new process with interested authorized cloud providers, and use the pilot to finalize broader guidance.
2. <b>Publish new, customer-oriented program metrics</b>. If we are going to impact the cost of FedRAMP and how long it takes to get and stay authorized, we need a better way to measure those things, informed by what our customers are actually experiencing. Likewise, we need to refine our understanding of our agencies' customers' experience and focus on ensuring they can efficiently and securely leverage cloud services to meet their mission needs. We plan to survey customers about their experience, soon and at a regular cadence, and to update FedRAMP’s formal performance metrics based on this survey to align with customer outcomes.
3. <b>Define FedRAMP’s core security expectations</b>. A central challenge of FedRAMP is to accommodate varying risk tolerances across agencies, while still setting a high enough bar for its authorizations to broadly support agency reuse without additional work. We plan to make progress here by more clearly defining the outcomes we expect all types of authorizations to meet. We will also work closely with the Cybersecurity and Infrastructure Security Agency (CISA) to develop and deploy the best protections for and minimize the risk to the federal enterprise. By combining this with more public documentation and examples of how cloud providers meet FedRAMP’s security goals, we can also streamline the authorization process overall.
3. <b>Define FedRAMP’s core security expectations</b>. A central challenge of FedRAMP is to accommodate varying risk tolerances across agencies, while still setting a high enough bar for its authorizations to broadly support agency reuse without additional work. We plan to make progress here by more clearly defining the outcomes we expect all types of authorizations to meet. We will also work closely with the Cybersecurity and Infrastructure Security Agency (<a href="https://www.cisa.gov/" target="_blank" rel="noopener noreferrer">CISA</a>CISA) to develop and deploy the best protections for and minimize the risk to the federal enterprise. By combining this with more public documentation and examples of how cloud providers meet FedRAMP’s security goals, we can also streamline the authorization process overall.
4. <b>Keeping FedRAMP policies focused on outcomes</b>. As a security-first program, FedRAMP needs to care not only about what is required, but about how those requirements can be reasonably applied and how they work out in practice. FedRAMP will hold cloud providers to a high standard informed by how implementation best practices have evolved, and that provides the flexibility needed to stay focused on security outcomes. We’ll start with updated guidance in a few areas that we know are particular authorization pain points now (such as FIPS 140, DNSSEC, and external service integrations), and set up a regular process for understanding where to focus over time.
5. <b>Increase the authorizing capacity of the FedRAMP ecosystem</b>. We will work with trusted authorizing partners to align our processes and eliminate the need for extensive per-package review by the program. We will be piloting this approach with our partners at <a href="https://www.disa.mil/" target="_blank" rel="noopener noreferrer">DISA</a> who serve as the Cloud Authorizing Official for the Department of Defense. More generally, we will be supporting OMB and the FedRAMP Board in convening joint authorization groups, who we expect to be strong candidates for this streamlined approach.
6. <b>Move to digital authorization packages</b>. While a full migration will take time, FedRAMP needs to operate as a data-first program for its processes to scale. We will define machine readable packages, in <a href="https://pages.nist.gov/OSCAL/" target="_blank" rel="noopener noreferrer">OSCAL</a>, and provide the guidance and tools to help our customers create and share them. Our goal is to leverage automated validation and assessment of packages, as well as system-to-system integration with our FedRAMP governance, risk, and compliance (GRC) platform to modernize and scale. We will work with interested cloud providers to pilot creating these packages and incorporating them into the authorization process in partnership with interested agencies.
Expand Down

0 comments on commit e0bb9ea

Please sign in to comment.