FedRAMP just automated checking security authorization packages for completeness
The General Services Administration plans to release XML-automated validations next week allowing vendors to check their security authorization packages for completeness before submitting them to the Federal Risk and Authorization Management Program.
FedRAMP used Schematron’s rule-based validation for making assertions against XML to automate the process and wants vendors to self-test their packages to ensure all the required data is there, before the program reviews them and decides whether to issue a cloud product an authority to operate (ATO).
More easily hackable legacy systems stay in operation longer when agencies can’t quickly purchase cloud products they need for lack of an ATO, and vendors have long wanted FedRAMP to automate parts of its authorization process.
“I think it’s a great step in automated validation,” said Zach Baldwin, automation lead within the FedRAMP program management office (PMO), during an ACT-IAC event Tuesday. “I want cleaner documentation before I have my review team lay eyes on it.”
The PMO wants vendors to implement the validations that allows them to reinsert new files with more complex checks as FedRAMP improves them, Baldwin said.
FedRAMP is also considering an agile ATO, a critical set of controls vendors can implement quickly while saving lesser ones for later.
The PMO recently partnered with the Department of Homeland Security’s .govCAR to score vendors’ security architectures against cyberthreat heat maps. Updated scores will be released in the near future, but they can be used to create a risk profile as agencies make cloud service purchasing decisions, Baldwin said.
Automation wouldn’t be possible without FedRAMP’s work with the National Institute of Standards and Technology to create the standardized Open Security Controls Assessment Language (OSCAL) for authorization packages. NIST released OSCAL 1.0.0 in early June.
“I’m going after the time it takes to get an authorization and the number of passbacks between my review teams and the [cloud service providers] and [third-party assessors],” Baldwin said.