The Federal Risk and Authorization Management Program (FedRAMP) spends a lot of time ensuring cloud service providers are offering secure environments for federal agencies. But all that work means nothing if a week, a month, a year later the CSP lags in updating its controls and security falls by the wayside.
The FedRAMP program office gets regular reports from the CSPs it has accredited through the Joint Authorization Board, however companies granted authority to operate (ATO) through an agency don't always follow the same rules.
As it stands, vendors with agency ATOs provide security update reports to the authorizing agency, putting the onus on that department to process and disseminate that information, including to other agencies taking advantage of the ATO. This can be a significant burden in cost and work hours and the disparate reporting methods can lead to confusion when multiple agencies use a CSP with a single ATO.
To streamline this process and alleviate some of that burden, the FedRAMP PMO is running a continuous monitoring pilot with four CSPs that received ATOs outside of the JAB. The pilot is testing whether the JAB can efficiently and effectively take over continuous monitoring for all agencies without creating a prohibitive lift for the CSPs or flattening the process too much, making the reports useless for the customer agency.
The JAB currently requires CSPs to submit regular reports using a specific template, which can then be placed into a reporting system that agency buyers can view before making decisions about their cloud needs or use to ensure their systems remain secure. The goal of the pilot is to see how difficult it will be to integrate reports from other CSPs without drastically changing the system.
"We have a tool that we use to normalize how we report out on each of the systems," said FedRAMP Director Matt Goodrich. "It's worked fairly well for the JAB. We wanted to see what the level of effort would be to scale that out to provide that same sort of service for agency authorizations."
The program office put out a list of reporting requirements for CSPs but isn't asking them to purchase new monitoring or scanning tools. Rather, the office has asked four CSPs with ATOs to try integrating with the system over the next few months and report back.
For the CSPs, the effort centers on merging their own reporting structure with the JAB's and training their personnel on any changes to their format.
"The level of effort was negligible, it was just sending them information we already had," said Laurel Fielding, CTO of Netcomm, one of the CSPs participating in the pilot along with Avue Technologies, QTS and Amazon Web Services. The real work, she said, was training their staff on the new reporting requirements, which wasn't too difficult, either.
Goodrich said the program office has been publishing information on the FedRAMP website to help CSPs prepare, which should make the change easier, even for larger organizations.
"If a cloud provider is motivated and wants to make this work then it shouldn't take more than a few weeks maximum to do this," he said. "That's one of the things we wanted to see with our providers: Are people actually applying the appropriate resources, do we have enough resources to be responsive as well and gauge that overall level of effort."
The result is Netcomm only has to provide their monitoring reports to a single repository managed by FedRAMP, rather than sending it to all the components of the agency that granted its ATO, in this case the National Institutes of Health.
For NIH, this means they don't have to compile and distribute that information and won't have to carry the associated costs of doing so.
Goodrich noted some agencies have been reluctant to take on the ATO process because of the lift associated with continuous monitoring. He hopes removing that roadblock will encourage more agencies to take part, which also takes some of the authorization workload from the JAB.
"This is [heading toward] realizing some efficiencies not only for the agencies but also for the private sector," Fielding said. "Being able to leverage people, paper and processes for multiple agencies is really critical," she added, noting the new structure will eliminate a lot of redundancy and customization the company deals with now.
Goodrich said the pilot will be a success if it can do just that without over-standardizing the process to the point where the reports aren't useful for individual agencies.
The FedRAMP program office plans to evaluate the pilot's progress this spring and make a decision about making the new reporting structure the standard policy.
"It's important, one, because it helps normalize how agencies consume [reports from] multiple cloud providers and, two, we hope that it will be able to incentivize agencies to do authorizations more because we'd take on some of the work they have to do post-authorization," Goodrich said.