In the never-ending struggle against manual tasks burdening Cloud Service Providers (CSPs) and federal agencies alike, FedRAMP has published RFC-0016, advancing its mission to modernize collaborative continuous monitoring (ConMon) of cloud services.
The Current State of Collaborative ConMon
The days of single-agency sponsors being the sole users of a cloud service are long gone; many agencies today may leverage the Agency authorizations regardless of their unique use cases. Due to the historic reliance of a single-agency sponsor to oversee authorization, the notion of several agencies sharing the same service has often led to confusion and misaligned responsibilities among agencies. Agencies must monitor their information systems using a process aligned with their unique Information Security Continuous Monitoring (ISCM) strategy; but how can CSPs support multiple agencies when those strategies differ so widely?
The current practice of collaborative ConMon involves multi-agency CSPs holding monthly meetings, where they review vulnerability scans, Plan of Action & Milestones (POA&M) changes, deviation rationale, as well as significant system changes. These meetings allow the agencies to participate directly in reviewing said security posture. Creating and reviewing the deliverables covered in such meetings, however, currently requires significant manual effort.
FedRAMP's Future
RFC-0016 proposes, through a series of requirements, a pathway to further align with OMB Memorandum M-24-15 and OMB Circular A-130. With these requirements adhering to FedRAMP 20x’s less-is-more approach, CSPs would have to continue issuing reports summarizing authorization details and data at a quarterly cadence instead of monthly.
A quick view into proposed requirements:
- FRR-CCM-01 – Quarterly authorization reports must include high-level summaries in consistent, human-readable format.
- FRR-CCM-04 – Asynchronous communication mechanism must be established between necessary parties (CSP, all agencies, FedRAMP).
- FRR-CCM-QR-01 – Quarterly synchronous reviews should review aspects of authorization deemed most relevant by provider.
Less frequent manual reporting is not a new idea, currently being explored across other industries. For example, the Trump administration expressed interest in replacing quarterly financial reporting of public companies in favor of biannual reports. Fewer reporting periods allows more time for companies to proactively manage ConMon deliverables with less concern over short-term administrative overhead. Arguments may differ on which frequency is optimal, but less reporting is desirable if it results in higher quality ConMon practices.
This latest RFC is in line with FedRAMP’s newly published Vulnerability Detection and Response (VDR) standard (see our related blog here) and supplements its outcome-driven approach. The new age of collaborative ConMon will feature a wholistic program that is persistent in its vulnerability intelligence, relevant in its contextual evaluation of risks, and justifiably ambitious in its shorter remediation timelines.
Automation as a Driving Force
While creating direct communication channels between CSPs and agencies is a step in the right direction, automation is the key to facilitating prudent defense. Acting not only as a cost-saver, but also a security-enabler, automation can empower CSPs to conduct more efficient ConMon. Through machine-readable data, it can also help agencies gain streamlined access to such data. RFC-0016 reveals much about the future of FedRAMP, acting as a lens into its evolution—where automation, shared responsibilities, and real-time data sharing will define the new standard.
The gaps between agency ISCM strategies and CSP capabilities are wide which increase labor costs associated with manual compliance efforts. While FedRAMP has been definitive in its promotion of automation to combat such issues, it stops short of prescribing specific standards. This ambiguity leads to inconsistent implementations across the industry, making it harder for agencies to interpret data and assess risk consistently. If FedRAMP is to overcome this struggle, the voices of practical expertise, namely Third-Party Assessment Organizations, must come together to advocate for standardized automation frameworks.
What can Fortreum do for you?
Let us know how Fortreum can help you navigate the changing currents of FedRAMP 20x. For more information, visit the Fortreum website or follow the company on LinkedIn at LinkedIn.com/company/fortreum.
Should you have questions about your FedRAMP, XRAMP, cloud and cybersecurity readiness, please reach out to us at Info@fortreum.com or Contact Us at https://fortreumstage.wpenginepowered.com/contact/
