FedRAMP targets improvements in continuous monitoring, community in 2017
The Federal Risk and Authorization Management Program wants to double its number of cloud services and authorizations in fiscal year 2017.
Those targets are among the program’s many fiscal year 2017 goals unveiled Monday, which include formalizing efforts to connect agencies with each other and industry in a program called FedRAMP Connect, redesigning its continuous monitoring processes, and creating tailored baselines for specific use cases.
The new FedRAMP Connect program will feature two industry days and two agency roundtables, FedRAMP Director Matt Goodrich noted in a blog post Monday.
“The industry day that we want to do is really going to be a great place for agencies to see what providers are out there that are offering solutions to meet the needs that they have, as well as for providers to be able to provide a business case and pitch to agencies in a way that they can really connect with people that are actively looking for services,” Goodrich told FedScoop.
And to help agencies learn from each other and more easily move through the authorization process, Goodrich noted FedRAMP will publish in 2017 detailed guidance on how to document all of the 421 National Institute of Standards and Technology controls within any of the baselines.
FedRAMP in will also introduce tailored baselines in 2017 for low impact software-as-a-service offerings, Goodrich said.
As FedRAMP has grown, Goodrich said his team has noticed that “one-size-fits-all models work well for” infrastructure-as-a-service and platform-as-a-service offerings. But software-as-a-service offerings could be used for something as simple as a project management tool or something more complicated like an enterprisewide email and communications, and unified messaging solutions, Goodrich noted.
“We want to make sure that we have an authorization process that matches how agencies are using services and the type of data that is going in there,” he said. “Our baselines that we have now will continue to be appropriate for all of those enterprisewide solutions that agencies can use for a multitude of reasons. But we’re going to start rolling out tailored baselines for specific use cases.”
The first tailored baselines will focus on low-risk, low-impact SaaS solutions that officials think can “have a tailored process that will allow agencies to authorize them in a less burdensome manner than sort of these enterprisewide solutions that would be used for more types of uses and more types of information,” Goodrich said.
FedRAMP officials also want to redesign continuous monitoring processes, introducing automation wherever possible and looking more generally to make the process less burdensome on government and industry, Goodrich said.
“We’re trying to figure out if there’s a way maybe to have — as long as the vendors have all the appropriate information, even if we want it in a certain template — could we have a way that that information could be provided in that template that doesn’t impact their internal business processes?” Goodrich said.
Making time to authorization shorter was the program’s first evolution with the debut of FedRAMP Accelerated, Goodrich noted. He said the second evolution needs to focus on operations and maintenance costs of continuous monitoring.
[Read more: FedRAMP accelerated authorizes first provider in 15 weeks]
“We’re trying to figure out how do we make sure our O&M costs don’t overrun the program so that we can’t continue to scale?” he said.