Although agencies are adopting secure cloud technologies at record-high levels, challenges remain within the FedRAMP process and across the FISMA and Risk Management Framework.
The Federal Risk and Authorization Management Program (FedRAMP) strives to continuously improve how we support our customers. In an effort to enhance and evolve our program, the FedRAMP Program Management Office (PMO) seeks to leverage the power and insights of the cybersecurity community. Respondents have the opportunity to help guide what the PMO takes on next and ensure that the government keeps federal data secure while bolstering modernization efforts.
Goal
Participants should submit bold, innovative, and actionable ideas that offer a new perspective on the FedRAMP Authorization process.
Security and cloud professionals, academia, and anyone interested or involved in the FedRAMP ecosystem are invited to participate in this opportunity to share their best thinking on the next phase of FedRAMP.
Opportunity
As technology evolves, it is important that federal agencies manage information systems to address and mitigate security risks. We want to ensure FedRAMP continuously explores initiatives in support of a modern, efficient, and effective authorization process in an effort to reduce time and cost, without compromising cybersecurity rigor.
This challenge provides FedRAMP’s stakeholders and the cloud security community at large the opportunity to directly inform and contribute ideas in support of a new approach to risk assessments and security authorization for cloud products and services.
Background
FedRAMP standardizes the Federal Government’s requirements and approach to security assessment, authorization, and monitoring of cloud products and services. The FedRAMP program established several cloud security baselines in accordance with FISMA and OMB A-130 and aligned with the NIST RMF and NIST SP 800-53.
In accordance with FISMA, each agency is required to issue an Authority to Operate (ATO) to authorize operation and accept the risk of using an information system. FISMA, and the President’s Executive Order, require agency heads to be responsible for information security risk within that agency and, while FedRAMP helps streamline and support agency risk determinations, ultimately that responsibility lies with the individual agency.
FedRAMP’s unified approach allows CSPs to demonstrate how they are safeguarding information using a single set of security requirements that is accepted by all executive branch departments and agencies. This “do once, use many” approach minimizes duplicative agency-specific authorization efforts, inconsistencies, and cost inefficiencies.
FedRAMP works closely with partners from industry and government to promote the secure adoption of innovative information technologies. The FedRAMP PMO takes a continuous improvement mindset to its mission of creating transparent standards and processes to accelerate federal agencies’ adoption of cloud technologies and ability to leverage security authorizations on a government-wide scale.
How Do CSPs Get a FedRAMP Authorization?
CSPs can achieve a FedRAMP Authorization for their Cloud Service Offering (CSO) from one of two approaches: through agency partnership or through the Joint Authorization Board (JAB). Regardless of the authorization approach, the CSP and 3PAO must produce the same deliverables (documents, artifacts, and evidence files) to convey the risk associated with the CSO.
Challenges with the “As-Is” FedRAMP Process
As agencies migrate to cloud technology, authorization challenges remain. FedRAMP is committed to providing workable and scalable solutions for our partners to advance the pace of secure cloud adoption. The FedRAMP PMO identified four improvement areas to the current “as-is” process.
Current Challenges
- Time – Although there has been significant progress in reducing authorization timelines, more work is needed to improve the pace of authorizing new providers, approving significant changes, and on-boarding of new services.
- Cost – The technical modifications, testing, and security materials required for a vendor to achieve a FedRAMP Authorization is comprehensive and rigorous. Depending on a vendor’s familiarity with these requirements, and the current “as-is” environment, costs can quickly escalate.
- Reciprocity – Some agencies are not accepting FedRAMP Authorizations at face-value and require additional security requirements in addition to the FedRAMP baseline. This action transforms the ATO process from a risk-enabling practice to a labor-intensive exercise and loses sight of FedRAMP’s intended “do once, use many” goal.
- Awareness – There are misperceptions that can potentially dissuade a CSP or Agency from participating in the program. There are several awareness challenges associated with the process, associated roles and responsibilities and available resources, including the FedRAMP Marketplace.
Helpful Resources and Where to Start
The FedRAMP PMO launched multiple projects and initiatives in the past in response to customer feedback. Take a look at previous improvement efforts and get a feel for the PMO’s approach to continuous process improvement:
- FedRAMP Accelerated
- FedRAMP Ready
- Agency Authorization Playbook
- CSP Authorization Playbook
- FedRAMP Connect
- FedRAMP Tailored Li-SaaS Baseline
Rules
- FedRAMP will not respond to each submission individually, but may reach out via email to individual submitters for clarification if needed.
- This is a targeted open crowdsourcing and ideation activity to collect insight and is not a competition where prizes will be awarded.
- Please do not submit proprietary information. Any information provided may be incorporated into the design of the project. Information submitted in response to this notice is subject to disclosure under the Freedom of Information Act. Respondents are advised that the Government is under no obligation to acknowledge, compensate or provide feedback with respect to any information submitted under this notice.
- By participating in this crowdsourcing activity, submitters agree to hold GSA harmless from all legal and administrative claims to include associated expenses that may arise from any claims related to their submission or its use.
- GSA will not be responsible for any claims or complaints from third parties about any disputes of ownership regarding the ideas, technology, white papers, prototypes, or images included in submissions.
- GSA reserves the right for any reason to modify or close the challenge at any time.
How To Enter
Challenge participants are encouraged to submit any idea that could improve and benefit the authorization process. No idea is too small!
Participants should submit their idea to [email protected] by 5pm EDT August 22, 2019 with the subject line: “FedRAMP Challenge Response.” Submissions should be no more than two pages, 11 point Arial font, attached to the message as a PDF or Word document.
Responses should include brief details on your relationship to FedRAMP, such as how you would identify yourself (CSP, 3PAO, Agency, Industry, Interested Citizen, or other). All approaches to this challenge are welcome, but here is an optional outline to organize your response:
- Clearly identify and describe the improvement/initiative
- Detail existing challenges the improvement/initiative addresses
- Provide a technical or management approach to implementing the idea
- Identify resources required for idea implementation and sustainment (e.g. level of effort, expertise needed, tooling, etc.)
- Describe intended outcomes of implementing the idea
- Develop and list metrics to successfully monitor and manage initiative post implementation
Given the increasing capabilities of technology and innovative services, it is our expectation that new ideas can propose improvements in ways that continue or improve security rigor.
Submissions will be reviewed by the FedRAMP PMO. As a result of this challenge and internal efforts, FedRAMP will define its next big move as a program and communicate the results of this effort through the Focus on FedRAMP blog.
As part of a larger coordinated effort, the PMO will also release a Special Announcement on FedBizOpps in addition to this posting on Challenge.gov in order to gather ideas from the broadest possible community. These public announcements will contain a direct link to this page for further details about the ideation challenge.
Thank you for your effort and commitment to partnering with FedRAMP to improve cybersecurity for all.
