Federal Secure Cloud Advisory Committee recommendations memo on 2023 priorities

Federal Secure Cloud Advisory Committee’s initial FedRAMP recommendations to the GSA administrator

Executive Summary

Recommendations for CSP Authorization Path Improvements, ConMon Process Enhancements and Automation Opportunities

This executive summary outlines key recommendations commissioned and approved by FSCAC to enhance the stakeholder experience for Cloud Service Providers (CSPs), third party assessment organizations (3PAOs), agencies, and the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO). Additional recommendations were made by individual committee members that were not broadly approved by the committee; however, the committee will continue to analyze and review those additional recommendations in their future work. 

After numerous briefings and deep dives into the current state and future needs of FedRAMP, the Committee identified improvements that cover three main areas: the CSP authorization path, the continuous monitoring (ConMon) process, and automation opportunities & initiatives. These three priorities were voted on and approved by the Committee in FSCAC’s July 2023 meeting, and subsequently, the Committee has worked diligently to identify three (3) top recommendations related to each of these initiatives aimed at reducing the time, effort, and costs associated with the U.S. General Services Administration (GSA)’s FedRAMP program.

CSP Authorization Path

The main problem that the Committee has identified is that the authorization process, which assesses the security and risk of federal cloud offerings and issues FedRAMP authorizations, is full of manual and time intensive tasks that can be subject to quality issues. Thus, it is costly for CSPs and takes a long time relative to operational needs to achieve a FedRAMP authorization. The current process is not set up to scale to the current demand or anticipated exponential growth.

1. In order to alleviate these concerns, FSCAC recommends that the FedRAMP PMO review and establish FedRAMP control inheritance. This involves mapping works from authoritative sources like National Institute of Standards and Technology (NIST), International Organization of Standardization (ISO), Payment Card Industry Security Standards Council (PCI), and specific government departments for reciprocity, such as the Department of Defense (DoD), Department of State (DoS), and Department of Justice (DoJ). By focusing on control inheritance, the costs and timeline associated with a FedRAMP authorization for CSPs, 3PAOs, and the FedRAMP PMO are reduced.


2. Additionally, we recommend that the FedRAMP PMO consider expanding the Cloud Security Offering (CSO) security package documentation to include baselines and deployment guides, ensuring customers comprehend how to configure CSOs to meet security requirements. Collaboration with the NIST’s National Cybersecurity Center of Excellence (NCCoE) is recommended to further develop profiles, guidance, and how-to guides. By expanding the CSO security package documentation, the quality of submissions will be improved, again reducing time and costs associated with a FedRAMP Authorization for CSPs, 3PAOs, and the FedRAMP PMO.


3. Lastly, this Committee recommends the FedRAMP PMO establish a matrix detailing fully inherited and hybrid responsibilities for Software as a Service (SaaS) and the development of a SaaS assessment process utilizing existing assessment frameworks. A low effort change, this improvement will help specifically SaaS CSOs achieve FedRAMP authorization in a shortened period of time, while clearly communicating the risks in the use of a SaaS CSO to agencies.

In regards to ConMon, the main problems that the Committee has identified are that the current ConMon process, defined by monthly vulnerability scans and annual control assessments, is inefficient, manual, labor intensive, and too costly.

1. For ConMon process improvements, FSCAC recommends implementing an integrated tool, such as a Governance, Risk, and Compliance (GRC) tool, for agency and FedRAMP authorizations as soon as possible. This tool would provide a unified view of assessment and change request data for a comprehensive risk picture, improving a CSP’s ability to detect and respond quickly to threats in the environment.


2. Additionally, we recommend the integration of ConMon processes into the existing work on streamlined processes, such as Open Security Controls Assessment Language (OSCAL) and Electronic Governance Risk Compliance (EGRC). By standardizing the language used, the PMO’s level of effort to maintain and share ConMon data will be dramatically reduced.


3. Lastly, this Committee recommends centralizing ConMon processes for agency authorizations within the FedRAMP framework, which will significantly improve an agency’s ability to make data-based decisions regarding their environment’s acceptable level of risk.

Automation Opportunities and Initiatives

The main problem that the Committee has identified is that every facet of the FedRAMP process is manual. There is an opportunity to introduce automation to address the lengthy timelines to marketplace for CSOs. Performing monthly continuous monitoring is also a burden for agencies, so streamlining and automating this process would be helpful while providing better quality data. However, the focus of automation should be not only the process, but also the outcomes in order to ensure we have secure, authorized solutions that are easily leverageable by agencies.

1. In terms of specific Automation Opportunities and Initiatives, FSCAC strongly recommends the FedRAMP PMO review the current set of requirements, controls, and deliverables to identify opportunities for descoping less relevant elements and establishing reciprocity with overlapping frameworks. Collaboration with stakeholders and industry will be crucial in the success of this recommendation. By standardizing the framework, the security of cloud offerings is enhanced while the time and cost associated with FedRAMP authorizations will be reduced.


2. In order to support the foundation of automation within the FedRAMP processes, GSA should continue to support the FedRAMP PMO in their effort to bolster and incentivize OSCAL adoption by external stakeholders and review areas suitable for automation within the authorization process workflow. This might involve the FedRAMP PMO setting up a work group to drive industry participation in developing, maintaining, and adopting automation technologies. There may be an additional cost that a small business may incur in the short term for longer term savings. However, as automation is implemented, stakeholders will experience reduced maintenance and supportability costs in the operations sphere.


3. Finally, this Committee would like to urgently call for the full funding, potentially multi-year, of an award for an automation support contract to assist agencies and the FedRAMP PMO in implementing and maintaining these critically important automation initiatives. By having additional support for agencies, the costs and manpower associated with FedRAMP authorizations will also be reduced.

In summary, these recommendations collectively aim to streamline CSP authorization processes, enhance continuous monitoring, and leverage automation to improve efficiency, reduce timelines, and lower the overall cost of assessments and authorizations. Successful implementation by the FedRAMP PMO and GSA will require effective collaboration with relevant stakeholders and the adoption of industry-accepted standards.