FedRAMP to test NIST security control automation
- By Sara Friedman
Officials with the Federal Risk and Authorization Management Program want to continue to make it easier for agencies to get cloud service providers approved. By the end of this fiscal year, the National Institute of Standards and Technology’s Open Security Controls Assessment Language, which speeds up the security controls assessment process through standardization and automation, will be available for testing, according to FedRAMP Director Matt Goodrich.
“We think [OSCAL] will really help agencies transform the way that they are doing their work by making sure that they can use whatever tool that they want to use and automate whatever they can in the process to do their authorizations,” Goodrich said at the June 13 ATARC Federal Cloud and Data Center Summit.
Goodrich also provided an update on FedRAMP Tailored, a streamlined approval process for low-impact software-as-a-service offerings. He said 15 SaaS offerings are currently in process for authorizations with three already approved.
“Agencies can partner with vendors for authorizations, so vendors don’t need to have a third-party assessor or independent auditor,” Goodrich said. It allows agencies to "bring in new and innovative products from small businesses in a way that is cost affordable," he said.
When it comes to third-party assessors, FedRAMP plans add accreditation for individual assessors, with a hands-on testing program for such individuals rolling out over the next few months.
Improvements are also coming to the Joint Authorization Board process known as FedRAMP Connect. Starting this month, that process will shift from a biannual cycle to quarterly.
“It won’t impact our timelines to get to an authorization,” Goodrich said of the process. “We simply want to increase the pace at which we are selecting vendors so there is less lag time between when we prioritize and assess them in the JAB.”
At the same event, Goodrich announced the winners of the FedRAMP Five Awards, which honor agencies and individuals who have demonstrated exceptional engagement in the FedRAMP process.
The Department of Health and Human Services won the large agency award. HHS has been the most active agency when it comes to FedRAMP authorized services, with 46 FedRAMP authorized or in-process SaaS offerings in use.
The Federal Communications Commission received the small agency award. The FCC has the most authorized and in-process SaaS offerings of any small agency at 17 and is an active participant in Information System Security Officer Training Days that support and improve the FedRAMP program.
Steven Hunt, the IT governance lead at NASA's Enterprise Managed Cloud Computing office, received large agency tech lead award. Hunt created an enterprisewide cloud framework to help NASA minimize its compliance burden and enable mission-supporting services.
Broadcasting Board of Governors CISO Greg Gray won the small agency tech lead award. Gray was instrumental in helping his agency get a FedRAMP Tailored ATO for Adobe Sign and Creative Cloud in nine weeks.
Daniel Pane, the FedRAMP lead at HHS, received the future leader award. He has worked to standardize FedRAMP efforts across HHS and has led support in sponsoring multiple cloud service offerings.
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at firstname.lastname@example.org or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.