FedRAMP Explores a Threat-Based Methodology to Authorizations
Feasibility Study: Agile Approach to Authorizations
In 2017, the Office of American Innovation (OAI) sponsored a feasibility study, coordinated by the Office of Management and Budget (OMB) and managed by the General Services Administration (GSA) FedRAMP PMO. The study’s objective was to determine whether a modular approach to authorizations would work. The study determined that an agile approach to authorizations would work if it established a defensible methodology to prioritize controls.
FedRAMP’s Threat-Based Methodology
FedRAMP needed to determine which security controls and capabilities are most effective to protect, detect, and respond to current prevalent threats. FedRAMP worked with DHS’s Cybersecurity Infrastructure Security Agency .gov Cybersecurity Architecture Review (CISA’s .govCAR). They developed a methodology for scoring each NIST SP 800-53, rev. 4, security control against the National Security Agency’s (NSA)/CSS Technical Cyber Threat Framework v2 (NTCTF). Their goal is to enable agencies, Cloud Service Providers (CSPs), and other industry partners to prioritize security controls that are relevant and effective against the current threat environment. This leads to informed, quantitative-based risk management decisions in authorizing information systems for government use.
Our Ask of You: Provide Feedback on Our Methodology White Paper
FedRAMP developed a white paper that outlines the methodology behind the threat-based scoring approach and its potential applications. We encourage you to read this white paper and provide feedback / questions to firstname.lastname@example.org. The FedRAMP PMO looks forward to receiving your comments and sharing progress.