White House looks to scale FedRAMP with automation
The cloud security program is being restructured to respond to the proliferation of cloud offerings.
The federal government's cloud security authorization program, FedRAMP, is getting an overhaul to comply with recent legislation and meet the increasing demand for cloud-based services at government agencies.
A draft memorandum released on Friday acknowledges the proliferation of software-as-a-service options and the need to "rapidly increase the size of the FedRAMP marketplace" by offering new paths to authorization. The new policy is designed to supplant the initial FedRAMP authorization memo issued in 2011.
"We are taking a human-centered policy design approach and soliciting input to learn about how government and industry experience the FedRAMP process and how we could evolve the program to increase its use and drive greater impact," Federal Chief Information Officer Clare Martorana said in a statement.
Cloud service providers are required to obtain an authorization from the FedRAMP program, based at the General Services Administration, before their applications can go live at federal agencies. Vendors have long complained of backlogs in authorization, the complex and varied compliance requirements and a lack of reciprocity among agencies in accepting FedRAMP approvals.
The FedRAMP Authorization Act, included in the fiscal year 2023 defense policy bill, tasked the program with increasing the speed of cloud authorizations via automation and improving the ability to reuse authorizations across agencies.
"Recognizing reciprocity is smart for vendors and smart for agencies," Rep. Gerry Connolly, D-Va., said in a statement. "If you are approved at one window of government, that approval should carry with you to others."
The White House guidance, which is open from comment through Nov. 27, requires the FedRAMP program to update continuous monitoring for cloud authorizations within six months and put in place a method for automating security assessments and reviews within 18 months. The initial plan for automating FedRAMP so that documentation is shared in machine-readable form is due on December 23 of this year.
Additionally, the guidance calls for FedRAMP to develop a plan to help agencies move off of cloud infrastructure designed solely for government use with in a year.
"Commercial providers should… be incentivized to integrate into their core services any improved security practices that emerge from their engagement with FedRAMP, to the benefit of all customers," the guidance states.
The move away from government-specific cloud infrastructure was cheered by Google.
"The shift from physical to logical separation of government data is aligned with zero trust principles, and will offer the government the innovation and rapid feature development of a true commercial cloud," Leigh Palmer, vice president of tech strategy and delivery at Google Public Sector said in an emailed statement. "We certify our entire U.S. Google Cloud infrastructure, a radically different approach to legacy, fortress-like cloud security models."
The guidance also proposes that the FedRAMP program develop a continuous monitoring framework that includes obtaining advance notice from CSPs on "security relevant" changes to authorized products and services and sets expectations for CSP responses to breaches and other security incidents to help protect the government from attacks on cloud infrastructure.