Reducing the continuous monitoring burden
- By Sara Friedman
Cloud security demands continuous monitoring, which costs agencies, vendors and the Federal Risk and Authorization Management Program time and money.
The FedRAMP office spends "about 75 percent" of its security budget on continuous monitoring, FedRAMP Director Matt Goodrich said. "It is too much for any agency or organization to maintain.”
Speaking at a Dec. 7 Digital Government Institute Cloud Computing Conference, Goodrich said he wants "to reduce the burden of continuous monitoring -- not only in our office but for our vendors as well.”
FedRAMP wants to find ways to reduce the effort dedicated to continuous monitoring, Goodrich said, and is meeting with vendors “to understand how [CSPs] are meeting [the requirements] and change the way that we look at that based on their capabilities.” Automation of the risk reduction process is a possibility, he said.
Continuous monitoring involves "periodic reporting for scanning, … change management and incident response,” he said. “Each of those has unique elements in it, so we are looking to address portions of it rather than doing a full-scale redesign all at once.”
FedRAMP will consider the abilities of smaller providers that might not have the resources to automate their FedRAMP authorizations. Goodrich said the likelihood of changing authorization requirements is “not high,” but the standards to meet the requirements will change for providers with “different types of capabilities."
While Goodrich said he believes the continuous monitoring process “works well now,” improvements could give his office more time and energy to devote to granting CSPs more FedRAMP authorizations.
Reducing the continuous monitoring burden is the latest effort by FedRAMP to streamline the program. This year, the program rolled out FedRAMP Connect, a program that prioritizes authorizations based on demand, and the FedRAMP Tailored baseline for low-impact or low-risk software-as-a-service solutions. An Agency Authorization Playbook distills five years of experience from helping agencies with issuing an authority to operate, offering step-by-step guidance and best practices.
FedRAMP is also in the process of helping agencies clarify inconsistent or unclear language in their cloud services contracts and is asking industry for examples of good and bad contracting language.
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at firstname.lastname@example.org or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.