“… FedRAMP is working with NIST to apply automation to the program. Through the Open Security Controls Assessment Language (OSCAL), NIST and FedRAMP are hoping by applying the language to certification packages, it can reduce the time and effort to get companies FedRAMP certified.
‘We’ve made a lot of progress over the last year with NIST to get OSCAL ready to go. And of course, the partnership with our cloud service providers has been incredibly helpful,’ [Brian Conrad, the acting director of FedRAMP] said. ‘We have cloud service providers lining up wanting to be a part of pilot programs as are third party assessors who also are looking forward to this too. It’s critical because the implementation of the automation will help reduce the variability in the time and the resources needed to create all these security artifacts.’
Conrad said even with all of these ongoing improvements, FedRAMP had a strong year in 2020.
He said agencies and the JAB authorized 60 new cloud services and reuse of existing CSP authorities to operate grew by 55% last year…”
“Conrad said the broad goal with many of these initiatives is to ensure that consistency and rigor while continually reducing the burden of FedRAMP.
‘I tell this to the cloud service providers that I talk to, and the 3PAOs, that our policies and guidance, they form what I refer to as guardrails on a road. You can’t expect cloud service providers to line up down the center lane because everybody’s a different service model. There’s different technologies, and there’s different size businesses. So having our policy and our guidance being like the guardrails on a road, and the goal is keeping everybody in those guardrails,’ he said. ‘We assess cloud service providers in how they apply those things in a firm, fair and consistent manner, that provides a level of confidence to agencies that the package they’re getting is sound. When we step further into automation, where we have the automated validation and things like that, that’ll help increase the confidence level as well.’…” Read the full article here.
Source: A threat-based methodology is FedRAMP’s next step toward simplicity with rigor – By Jason Miller, May 6, 2021. Federal News Network.