Now more than ever, the cloud security program known as FedRAMP needs industry’s help.
That was the message Monday from Pete Waterman, the director of the Federal Risk Authorization Management Program at the General Services Administration.
“We’re going to transform FedRAMP: Instead of the government deciding what is best, we’ll collaborate with industry to drive the solution. We’ll start now and update our approach continuously. We’ve all been talking about automating the status quo for way too long. Everyone in this room knows that if it was that easy, we would have done it by now,” Waterman said at an event sponsored by the Alliance for Digital Innovation on March 24. “We need to drive this type of change together as a community. You bring the solutions, we’ll vet them with agencies and set standards to match.”
Waterman said infrastructure-as-a-service and platform-as-a-service vendors can make their systems secure by design, or at least provide some capability so their customers using their services can validate their own security.
He said there are endless possibilities for third-party compliance tool vendors.
“Find your niche and build something cool. If you build validation software, you won’t be excluded anymore. We’ll all work with you to figure out multi-party validation in a way that includes you in the FedRAMP ecosystem without requiring a federal agency sponsor for everyone else,” Waterman said. “All the other cloud service providers of varying scale and complexity, you can adopt these capabilities, where, when and how. You can update your architecture to take advantage of them as they become available. Start small, go big and get secure. For everyone else, figure out where you can add value and plug in. There’s plenty of room inside this for new ideas.”
This new vision called FedRAMP 2025 is looking to industry for innovations and to help lead the effort is a drastic change from how GSA managed the program over the last 12 years.
Part of the reason for the new approach is the program management office is leaner with fewer contractor resources and a smaller budget. It also is getting out of being the centralized authority and provider of services, and will instead focus on setting policies and standards.
GSA and the Office of Management and Budget have tried repeatedly over the last decade to fix long-standing complaints and concerns about the program. The program management office and the Joint Authorization Board (JAB) created alternative approaches like FedRAMP Ready and FedRAMP Tailored, but the cost and burden of the authorization process still weighed heavily on agencies and vendors alike.
Waterman said says the new program management office will move on from the past of how GSA and OMB initially created the FedRAMP process.
“FedRAMP is rooted in the past. Federal Information Processing Standard (FIPS) 200, the government standard for the development, implementation and operation of secure information systems, was published way back in 2006. The approach outlined back then was based on the idea that systems were developed only until they were ready to be put into operation, like a building or a ship. You can use a paperwork based process to evaluate the security of something that you won’t change once it enters operation,” he said. “That hasn’t been how most of us built tech for a long time, though. Modern services are continuously and simultaneously developed and implemented while being operated without downtime and without stopping.”
Continuous validation is the goal
A common complaint about the current process is it’s too burdensome and costly, and it’s more of a checklist than a true security audit.
Instead, FedRAMP will work with industry to create continuous validation and verification processes as well as apply automation to those security controls.
“FedRAMP will set the standards that enable private innovation to create the solution. That’s how we’ll develop and continuously improve a standardized, reusable, cloud native approach to security assessment and authorization for cloud services,” he said. “We’re going to build a different approach, starting with understanding the underlying security principles that will ensure government information is safe in a continuously evolving commercial environment with key security indicators. Then together, we’ll build an assessment process to validate your choices about those key security indicators.”
While Waterman didn’t promise to have every answer to every question about how this new approach would work, there are some initial ideas that seem to make sense.
For example, the key security indicators would shift the requirements from extensive descriptions about each individual control on a spreadsheet to continuous validation that the intent behind those controls has been addressed and there would be no need for extensive human reviews.
“We know the capability to rely on automated validation for many security controls already exists and that host providers often offer secure by design options to make this easier for their customers,” Waterman said. “The vast majority of underlying security requirements for the NIST SP 800-53 can be validated in the same automated way if we approach them in the abstract. No one should ever be manually reviewing an old spreadsheet that has some screenshots next to it and pretend that that’s a security assessment.”
Waterman added he believes the ultimate goal of automating everything is effectively a Boolean decision.
- Can I trust this company? True or false
- Is this cloud service secure enough for my specific needs? True or false
- Will I authorize its use? True or false
“It’s that simple and that complex, but this should be our goal,” he said. “My team has already done a lot of work on this over the past couple of weeks to get started. Then you all tell me how you can help such offerings to validate their configuration. You don’t all have to agree on the approach or do it the same way. It’s the outcome that matters. If the approach is reasonable and the outcome is legit, we’ll validate the approach, any approach. From there, we just keep going, continually adding key security indicators and pulling in various existing frameworks as we simplify more and more controls and solve more complex use cases like multi-party, multi-service, multi-cloud validation eventually will come for the big IaaS and PaaS providers too. It won’t be as easy for you, but we’ll see it through, if you will. You can’t keep pushing paper forever. I don’t have all the answers to how to do this, but I’ll bring the coffee and donuts.”
Waterman will bring the proverbial coffee and donuts to four new community working groups FedRAMP is setting up to bring everyone together.
The PMO will hold the first meeting of the:
- The NIST SP-800-53, Rev 5 continuous monitoring working group on March 31
- The Automating assessment on April 2
- The applying existing frameworks group on April 8
- The continuous reporting group on April 10
“We’re going to set the tone and host some discussion, but a lot will depend on you and what you bring,” Waterman said. “I do want to be very, very clear that those groups are not to advise us. Those groups are not to give us consensus advice. Those groups are an attempt to create and establish a community where we work together and talk about things in public with each other, so there’s no more ghost rules and regulations. There’s just everybody has equal and fair access to all the same information, including me and my team, because my team wants to know what you all are doing. Then, as we monitor that, as we see things that work, and as we see some generally good ideas, and as we see standards that folks align towards, we will develop that standard that supports that, and then we’ll send that through our formal request for comment process that is required by law to make sure that we standardize that.”
Waterman said the PMO will use a GitHub discussion forum to post meeting notes and summarize the discussions and the progress of industry in addressing these challenges.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
