Modernization - Automating FedRAMP's Technology
As a reminder, you are invited to join FedRAMP’s monthly Office Hours session today at 11am ET Wednesday, January 17, 2024, where we will be discussing our collaborative effort to move forward on our technology modernization priorities, introduced below. Attendees are encouraged to come prepared to discuss their questions about FedRAMP technology modernization and if possible, submit them at the link below.
FedRAMP is committed to ongoing dialogue and engagement with our stakeholders so we can leverage your experience and expertise to inform and revise our modernization strategy, and ensure our efforts meet your needs for an automated FedRAMP. Examples of future input and engagement opportunities are outlined below. We will communicate in more detail about these opportunities in the future, and they are also open topics for discussion during the Office Hours session.
Topic Areas for CSPs and 3PAOs:
- Identifying gaps and defects in FedRAMP OSCAL guides and validations to help us improve them.
- Delivering security package deliverables in OSCAL and standard formats to help us better understand where greater standardization is needed in the FedRAMP OSCAL approach.
- Engaging with FedRAMP to help us refine our API, integration, and ConMon approach.
- Providing feedback on tooling, documentation, guidance, and training, with a focus around the use of OSCAL and OSCAL-enabled tools.
- Identifying needs to improve user experience and system-to-system integration.
Topic Areas for Agencies:
- Acquiring new tools, or working with existing tools, to develop the capability to ingest and produce OSCAL data.
- Participating in engagements to help identify capabilities and data needed by agency review teams to help us refine the FedRAMP modernization approach.
- OSCAL Data Bytes Sessions
- Future Data and Automation Listening Sessions
- Agency Liaison Meetings
- Federal Secure Cloud Advisory meetings
- Office Hours
FedRAMP’s Technology Priorities
FedRAMP’s technology priorities are the adoption of Open Security Controls Assessment Language (OSCAL); a supporting governance, risk, and compliance (GRC) and data repository; and the refinement of current processes to take advantage of automation. OSCAL underpins FedRAMP’s data and automation strategy, and its use will increase as the modernization process continues.
FedRAMP will continually refine our approach based on technical and process maturity and stakeholder input. Ultimately, once this model is adopted, stakeholders will create, submit, and ingest assessment documentation using collaboratively-developed OSCAL-enabled tools and streamlined processes.
FedRAMP will provide tooling, documentation, guidance, training, and technical support to facilitate these modernization efforts, with a focus on providing support around the use of OSCAL and OSCAL-enabled tools and data platforms.
How FedRAMP Stakeholders Benefit
CSPs and Third Party Assessment Organizations (3PAOs) will submit OSCAL-formatted authorization packages and ConMon artifacts, which will facilitate automated validation of deliverables, and near immediate feedback on trouble spots. CSPs and 3PAOs will be able to leverage FedRAMP APIs for package updates and submissions, reducing overhead and resource impact and facilitating the integration with their existing systems. CSPs and 3PAOs will be able to continually monitor their progress through improved FedRAMP workflows via API or Dashboards. Collectively, these changes will increase the speed, effectiveness, and transparency of the authorization process and continuous monitoring (ConMon) activities for CSPs and 3PAOs. Agency stakeholders will be able to review the cybersecurity posture of cloud service offerings (CSOs) on demand via dashboards to continuously monitor and evaluate risk to their own agency. This will help inform cloud service authorization decisions, improving threat and risk awareness. We look forward to your participation in the FedRAMP Office Hours session this Wednesday and in future engagement forums to discuss how FedRAMP can best meet the modernization needs of our stakeholders.
For any general questions, please email firstname.lastname@example.org.