FedRAMP Forward: 2 Year PrioritiesFedRAMP Forward prioritizes three key areas of focus. First, increased stakeholder engagement is needed to more fully realize the benefits of FedRAMP across the government. Second, improving efficiencies will allow the FedRAMP process to happen faster and with fewer hurdles. And third, continuing to adapt is critical to staying aligned with the evolving cybersecurity landscape. This plan sets out the objectives and initiatives FedRAMP will pursue over the next two years to address these key issues.FedRAMP Program Management OfficeFRPMO_b76fb5f4-bbaf-11e4-9f9c-c6ad57876c4e_b76fb842-bbaf-11e4-9f9c-c6ad57876c4e_b76fb91e-bbaf-11e4-9f9c-c6ad57876c4eENGAGEMENTINCREASE STAKEHOLDER ENGAGEMENT _b76fb9dc-bbaf-11e4-9f9c-c6ad57876c4e1FedRAMP and its application to cloud environments is complex and involves a broad array of stakeholders: Federal agencies, 3PAOs, and CSPs. One of the keys to success through FedRAMP is ensuring that stakeholders fully understand the requirements and are actively engaged through the process, from initiation, to authorization, and continuous monitoring. There are more than 50 CSPs actively engaged in the FedRAMP process, 31 accredited 3PAOs, and nearly every Federal agency is participating in FedRAMP. But these numbers don’t reflect the true marketplace of cloud systems in the Federal government. In order to reach the full breadth of cloud providers working with the Federal government as well as encourage new and innovative services to be available for use, stakeholder engagement with FedRAMP needs to increase. IMPLEMENTATIONINCREASE NUMBER OF AGENCIES IMPLEMENTING FEDRAMP _b76fba86-bbaf-11e4-9f9c-c6ad57876c4e1.1In many departments and agencies, FedRAMP implementation is limited to specific programs and the cloud services they are using, rather than being done in an enterprise-wide manner across departments and agencies. FedRAMP implementation will be expanded by:Baseline FedRAMP use across Federal government with various data points including PortfolioStat and FISMA reporting.
2014-12-172015-06-17To be reportedProvide practical implementation guidance for agency ATOs for initiating assessments and authorizations, re-use of ATOs, and implementing solutions within an ATO cloud service.2014-12-172015-06-17To be reportedData NormalizationNormalize agency reported data and enhance guidance on agency reporting of FedRAMP and cloud statistics through PortfolioStat.
2014-12-172015-12-17To be reportedSuccess StoriesDocument agency success stories for FedRAMP, establishing a best practice reference guide.2014-12-172015-12-17To be reportedProcurement OptionsIdentify procurement options for agencies to obtain FedRAMP implementation support2014-12-172016-06-17To be reportedReportPublicationPublish report documenting current status of FedRAMP metrics and statistics2014-12-172016-06-17MetricsEstablish accurate FedRAMP metrics._b76fbb3a-bbaf-11e4-9f9c-c6ad57876c4e1.1.1The FedRAMP PMO will work to better analyze the true breadth of use of FedRAMP across the government -- not just through PortfolioStat analysis -- but through the identification of usage across small and micro agencies, congressional and judicial branch entities, and state and local governments.GuidanceCreate practical implementation guidance. _b76fbbe4-bbaf-11e4-9f9c-c6ad57876c4e1.1.2Guidance will address all use cases of implementations -- including beginning an assessment, re-using an existing assessment, implementing agency responsibilities, transitioning legacy applications in to a cloud infrastructure, and more.Support[Provide] additional support for FedRAMP._b76fbd1a-bbaf-11e4-9f9c-c6ad57876c4e1.1.3Additional support for FedRAMP: It takes people to implement FedRAMP. Many agencies rely on contract resources to assist in their efforts to implement
FedRAMP. Identification of procurement options for agencies to find the
specialized expertise needed will be important for agency implementation
efforts.COLLABORATIONINCREASE CROSS-AGENCY COLLABORATION_b76fbdf6-bbaf-11e4-9f9c-c6ad57876c4e1.2At the heart of FedRAMP is the principle of "do once, use many times." The more the Federal government works together to implement FedRAMP, the more cost savings and efficiencies agencies can realize. The PMO will assist agencies collaborating under FedRAMP by:Multi-Agency Authorization MethodologyPublicationPublish draft multi-agency authorization methodology following FedRAMP Security Assessment Framework (SAF). To be reportedWorking GroupsIdentify and launch working groups for multi-agency authorizations
2014-12-172015-12-17To be reportedContinuous Monitoring MethodologyPublicationPublish draft multi-agency continuous monitoring methodology following FedRAMP SAF.2014-12-172015-12-17Continuous MonitoringTransition of continuous monitoring from JAB to multi-agency model for JAB P-ATOs that do not reach or achieve government-wide use.
2014-12-172016-12-17FrameworkDevelop a multi-agency framework._b76fbed2-bbaf-11e4-9f9c-c6ad57876c4e1.2.1Many CSPs have footprints and established use across multiple agencies. How to effectively and efficiently manage these environments in a collaborative manner needs to be further clarified to establish defined roles and responsibilities to maximize re-use and reduce duplication.Working GroupsLaunch working groups. _b76fc0a8-bbaf-11e4-9f9c-c6ad57876c4e1.2.2FedRAMP will Formally launch FedRAMP working groups which will give agencies a forum to collaborate as they work through FedRAMP assessments, authorizations and continuous monitoring.JAB P-ATOsEnsure JAB P-ATOs cover government-wide use. _b76fc166-bbaf-11e4-9f9c-c6ad57876c4e1.2.3The JAB's mission is to support CSPs that support the broadest range of government-wide use. The working groups and multi-agency framework will allow the JAB to transition systems they have provisionally authorized to agencies for continuous monitoring for those services that do not reach broad government-wide use.UNDERSTANDINGINCREASE UNDERSTANDING OF FEDRAMP_b76fc21a-bbaf-11e4-9f9c-c6ad57876c4e1.3A clear understanding of FedRAMP and all of its requirements is imperative to any implementation efforts by stakeholders. After two and a half years there have been many lessons learned and a better understanding of the nuances of meeting FedRAMP requirements. To make sure that stakeholders not only understand FedRAMP but benefit from the lessons learned, the PMO will:Training ProgramDevelop and launch online FedRAMP training program.2014-12-172015-06-17To be reportedFedRAMPRelaunchRe-launch FedRAMP.gov to improve user experience and usability.2014-12-172015-06-17To be reportedProcurement GuidancePublicationPublish agency procurement guidance (in collaboration with OMB / OFPP).2014-12-172015-06-17To be reportedTraining ModuleDevelopmentDevelop FedRAMP training module for agency procurement officials.2014-12-172015-12-17To be reportedDevelop targeted FedRAMP training module for agency program managers.2014-12-172016-06-17DocumentationUpdatingContinued updates to reference and guidance documents.2014-12-172016-12-17To be reportedRe-LaunchRe-launch FedRAMP.gov._b76fc2ce-bbaf-11e4-9f9c-c6ad57876c4e1.3.1Information is useless if it cannot be found. The FedRAMP website will be re-launched in a more user friendly format and re-organized so users can more easily and quickly find the information they need.TrainingLaunch Formal Training._b76fc382-bbaf-11e4-9f9c-c6ad57876c4e1.3.2FedRAMP is a complex framework with many operational processes across a myriad of stakeholders and responsibilities. All stakeholders need to understand their responsibilities under this framework. A formal training program will help stakeholders gain deeper knowledge and understanding of FedRAMP. The training program will launch with a focus on the key FedRAMP requirements for assessments and authorizations, and will grow to include specific modules targeted to defined stakeholder groups like program managers and procurement officials.UpdatesContinue Updates to Reference and Guidance Documents._b76fc42c-bbaf-11e4-9f9c-c6ad57876c4e1.3.3As more agencies move to the cloud and more systems are in use across the Federal government, it is important to share lessons learned. FedRAMP initiated this with the Guide to Understanding FedRAMP. This document will be expanded and continually updated to include those lessons learned over time.EFFICIENCIESIMPROVE EFFICIENCIES _b76fc4ea-bbaf-11e4-9f9c-c6ad57876c4e2The FedRAMP Security Assessment Framework (SAF) is complex with multiple
stakeholders and many dependencies. The process can take anywhere from four months to more than a year to complete. Since June 2012, FedRAMP has developed benchmarks to better understand the level of effort it takes to meet the FedRAMP requirements. These benchmarks have identified key areas in which efficiencies could be realized to reduce the overall time and level of effort required by stakeholders. Improving efficiency will be critical to the success of many CSPs, 3PAOs and agencies in meeting the FedRAMP requirements and will help reduce the time and cost for the security authorization process, and will help open up the Federal market to smaller and more niche service providers giving the Federal government a greater market of IT providers from which to choose. CONSISTENCY & QUALITYENHANCE CONSISTENCY AND QUALITY OF 3PAO ASSESSMENTS AND DELIVERABLES._b76fc59e-bbaf-11e4-9f9c-c6ad57876c4e2.1FedRAMP is the only program that accredits independent assessors for Federal
cybersecurity standards through the 3PAO accreditation program. 3PAOs provide the government with the independent verification and validation of a CSP’s security implementations and identify any associated risks. The government bases its decision to authorize a service provider on a 3PAOs assessment and accompanying report. Through the 3PAO accreditation program, the PMO will:GuidelinesPublicationPublish guidelines for 3PAOs to address inconsistencies for security assessment activities, artifacts and methodologies.2014-12-172015-06-17To be reportedTraining ModuleDevelopmentDevelop FedRAMP 3PAO training module in concert with FedRAMP Accreditation Board.2014-12-172015-12-17To be reportedRequirementsUpdateUpdate 3PAO requirements to ensure consistency for security assessment activities, artifacts and methodologies2014-12-172015-12-17To be reportedAccreditation RequirementsUpdate 3PAO accreditation requirements._b76fc666-bbaf-11e4-9f9c-c6ad57876c4e2.1.1The current 3PAO requirements have broad applicability through ISO 17020 and a FedRAMP knowledge test. The PMO will incorporate 3PAO Guidelines for specific FedRAMP applications to 3PAO policies and processes in to the official 3PAO requirements.Training[Conduct] training program for 3PAOs. _b76fc738-bbaf-11e4-9f9c-c6ad57876c4e2.1.2Training programs for 3PAOs will be developed specifically to address the nuances of security assessments in a cloud environment as well as quality control in the delivery of documentation to the government. This training will be mandatory for 3PAO assessors to complete and be a part of FedRAMP assessments. DATA AND WORKFLOWESTABLISH A FLEXIBLE FRAMEWORK FOR DATA AND WORKFLOW MANAGEMENT_b76fc814-bbaf-11e4-9f9c-c6ad57876c4e2.2Automation is already a part of a cloud service providers offering through things like internal management of a cloud service, customer self service provisioning, and elasticity of services consumed. There are existing tools that agencies and CSPs use to automate parts of the FedRAMP process, however not all of them meet FedRAMP documentation requirements and there is not a consistent set of requirements for how systems should incorporate automated data feeds from vendors to analyze. In order to realize automation in these areas the PMO will:Tools & AutomationIdentificationIdentify existing workflow tools, control automation, and document automation capabilities.2014-12-172015-06-17To be reportedIndustry DayConductConduct Industry Day on tools and processes for automation of CSP documentation and assessment and continuous monitoring evidence.2014-12-172015-12-17To be reportedRequirementsPublicationPublish draft requirements for automation of FedRAMP documentation.2014-12-172016-06-17To be reportedAutomation RequirementsDocumentationFinalize automation requirements for FedRAMP documentation.2014-12-172016-12-17To be reportedAutomationIdentify existing automation capabilities._b76fc8fa-bbaf-11e4-9f9c-c6ad57876c4e2.2.1Since there are already players in this space across not only government but industry, FedRAMP will identify and work with these existing service providers to better understand their tools and the scope of their capabilities.RequirementsDevelop FedRAMP specific automation requirements._b76fc9fe-bbaf-11e4-9f9c-c6ad57876c4e2.2.2FedRAMP requires specific formatting and templates in order to maximize re-use. As such, the development of FedRAMP specific automation requirements will help
stakeholders apply automation in a way that can fully meet FedRAMP. These
requirements will be created through an initial industry day with identified
service providers and subsequent public comment periods.INDUSTRY STANDARDSRE-USE RE-USE INDUSTRY STANDARDS_b76fcac6-bbaf-11e4-9f9c-c6ad57876c4e2.3FedRAMP is not the only cybersecurity compliance standard. There are other examples of cybersecurity standards cloud providers might be required to meet -- ISO, HIPAA, CIJIS, CSA STARS, SOC II -- to name a few. Cloud providers that meet more than one of these compliance standards carry a heavy burden to meet all of these compliance frameworks. Many times CSPs are not able to re-use the evidence for compliance efforts from one framework to another. The goal of all cybersecurity compliance efforts is to demonstrate that an environment is secure enough to protect data according to various standards. In order to help CSPs and 3PAOs realize efficiencies in FedRAMP assessments and authorization through re-use of evidence across various compliance frameworks, the FedRAMP PMO will:
RequirementsPublicationPublish draft requirements for re-use of external industry compliance evidence for assessment, authorization and continuous monitoring 2014-12-172015-06-17To be reportedCompliance FrameworkMappingIdentify and map one external industry compliance framework for re-use of evidence for assessment, authorization and continuous monitoring. 2014-12-172015-12-17To be reportedComplete pilot assessment of one CSP re-using evidence from external compliance framework.
2014-12-172016-06-17To be reportedCompliance FrameworksMappingsPublish additional mappings of external industry compliance frameworks for evidence re-use.2014-12-172016-12-17To be reportedRe-Use RequirementsPublish re-use requirements._b76fcb98-bbaf-11e4-9f9c-c6ad57876c4e2.3.1Re-use of evidence will require a close attention to scoping and ensuring the evidence being re-used equally applies to two or more industry standards. The requirements must be clear as to what must be met in order to re-use evidence from one framework to another.Standards MappingMap re-use standards to industry requirements._b76fcc74-bbaf-11e4-9f9c-c6ad57876c4e2.3.2Once the re-use requirements are complete, they will need to be applied to an industry standard for practical application and use. As these mappings are created, they will be piloted with CSPs and authorizing officials to ensure accuracy and develop lessons learned. These pilots will help formalize industry mappings and guide future efforts.ADAPTATIONCONTINUE TO ADAPT _b76fcd8c-bbaf-11e4-9f9c-c6ad57876c4e3NSTDHSWhile there are seemingly strict confines around which FedRAMP was built, the key to FedRAMP’s success is the adaptability of FISMA, NIST standards, and DHS guidance. In order for FedRAMP to continue its growth, it is recognized that the cybersecurity landscape evolves constantly -- practically on a minute to minute basis -- and the adaptability must also apply to FedRAMP as it continues to apply FISMA, NIST standards, and DHS guidance.
As the Federal government matures in its application of cybersecurity standards, there are opportunities for FedRAMP to help coordinate efforts among Federal agencies using CSPs. Adapting to meet the evolving cloud offerings and introduction of new services, the levels of data the government is placing in cloud environments, and placing a higher focus on overall risk management instead of compliance will keep FedRAMP ahead of the curve and ensure all stakeholder needs are being met. MONITORINGEVOLVE CONTINUOUS MONITORING_b76fce90-bbaf-11e4-9f9c-c6ad57876c4e3.1Part of meeting the FedRAMP requirements includes adherence to the "FedRAMP Continuous Monitoring Strategy and Guide." This guide has three key areas: periodic reporting, change management, and incident response. Many of the requirements within the "FedRAMP Continuous Monitoring Strategy and Guide" are based on compliance activities. In order to have more effective continuous monitoring, risk management needs to be more fully incorporated. The FedRAMP PMO will evolve the continuous monitoring approach by:Publish roadmap for evolution of continuous monitoring to include ongoing authorizations, near real time risk analysis, and greater emphasis on risk management.2014-12-172015-06-17To be reportedRisk Analysis GuidelinesPublicationPublish guidelines with key indicators for authorizing officials to effectively perform risk analysis and more readily identify and respond to changes in risk posture of systems with existing authorizations.2014-12-172015-06-17To be reportedGuidelines & RequirementsPublicationPublish guidelines and requirements for automating and correlating continuous monitoring data across agency and JAB authorized systems. 2014-12-172015-12-17To be reportedMonitoring DataAutomation & CorrelationAutomate and correlate of continuous monitoring data across 2 agency and 2 JAB authorizations.2014-12-172016-06-17To be reportedReporting DataAutomation & CorrelationAutomate and correlate continuous monitoring and incident reporting data across all JAB and participating agency FedRAMP authorizations.
2014-12-172016-12-17Monitoring RequirementsUpdating continuous monitoring requirements._b76fd002-bbaf-11e4-9f9c-c6ad57876c4e3.1.1Through dialogue with service providers and Federal agencies, and key stakeholders like NIST and DHS, FedRAMP will update the continuous monitoring requirements to have a key focus on risk management through more real time views of CSP environments and establishing key indicators for reviewing CSP risks.Reporting RequirementsEstablish continuous monitoring reporting requirements._b76fd138-bbaf-11e4-9f9c-c6ad57876c4e3.1.2In order to effectively monitor agencies use of multiple environments across various CSPs, reporting of continuous monitoring needs to be done consistently. FedRAMP will create and refine reporting requirements so agencies will be able to re-use CSP continuous monitoring deliverables consistently across agencies. Authorization CorrelationCorrelate continuous monitoring activities across authorizations._b76fd322-bbaf-11e4-9f9c-c6ad57876c4e3.1.3As CSPs meet the continuous monitoring reporting requirements, correlating the data across all authorizations will give the Federal government a greater ability to
understand risk as it relates across all applicable environments. FedRAMP will
enable agencies to have insight to continuous monitoring data on all of the
systems they use.BASELINESESTABLISH ADDITIONAL BASELINES _b76fd444-bbaf-11e4-9f9c-c6ad57876c4e3.2FedRAMP launched with a baseline for low and moderate impact systems, which covers approximately 80% of Federal information systems. Over the last two and a half years, agencies have been rapidly moving to the cloud and showing a strong desire to move more and more mission critical services to the cloud, including some with higher sensitivity levels of data. To ensure that FedRAMP requirements and baselines meet these evolving stakeholder needs, the FedRAMP PMO will:BaselinePublicationPublish draft high baseline for public comment.2014-12-172015-06-17To be reportedHigh Watermark BaselineFinalizationFinalize high watermark baseline.2014-12-172015-12-17To be reportedAdditional BaselinesIdentificationIdentify need for additional agency baseline requirements.2014-12-172016-06-17To be reportedBaselinePublicationPublish draft flexible baseline based on identified agency needs.2014-12-172016-12-17To be reportedBaselineDevelop a high baseline._b76fd548-bbaf-11e4-9f9c-c6ad57876c4e3.2.1Almost since inception, all of the FedRAMP stakeholders have asked when a high baseline would be developed. The FedRAMP PMO will work with the JAB to develop a high impact baseline, and will coordinate the vetting process through the CIO Council, ISIMC, and multiple rounds of public comment.Baseline NeedsIdentify additional baseline needs._b76fd64c-bbaf-11e4-9f9c-c6ad57876c4e3.2.2FedRAMP will also continue to assess the need for additional baselines and develop those as necessary. Possibilities include systems that meet the requirements for high availability but only need moderate protections for confidentiality and integrity.CYBER INITIATIVES & POLICY REFORM ENHANCE INTEGRATION WITH CYBER INITIATIVES AND CONTRIBUTE TO POLICY REFORM _b76fd750-bbaf-11e4-9f9c-c6ad57876c4e3.3Technology serves as the intersection for many Government-wide initiatives – and this provides agencies with a challenge to ensure they meet a multitude of requirements when using a single solution. Requirements such as the Trusted Internet Connection (TIC), Homeland Security Protocol Directive-12 (HSPD-12), Internet Protocol version 6 (IPV6), and Continuous Diagnostic and Mitigation (CDM) have critical requirements overlapping with some of the FedRAMP requirements. In order to address this challenge, the FedRAMP PMO will:FrameworkDevelopmentDevelop framework for FedRAMP assessment overlay for compliance with relevant IT policies (e.g. TIC, IPv6).2014-12-172015-06-17To be reportedAssessment OverlayPublicationPublish draft initial FedRAMP assessment overlay with 1 to 2 IT policies.2014-12-172015-06-17To be reportedAssessmentsConductConduct concurrent assessments of FedRAMP and additional IT policies.2014-12-172015-12-17To be reportedAssessment Overlay FrameworkFinalizationFinalize FedRAMP assessment overlay framework. 2014-12-172016-06-17To be reportedGuidance MethodologyPublicationPublish formal guidance methodology for assessment overlays IT mandates.2014-12-172016-06-17To be reportedAssessment OverlaysDevelopmentDevelop two additional FedRAMP assessment overlays for compliance with additional IT initiatives.2014-12-172016-12-17To be reportedAssessmentsDevelop FedRAMP assessment overlays._b76fd840-bbaf-11e4-9f9c-c6ad57876c4e3.3.1Agencies, CSPs, and 3PAOs should be able to demonstrate compliance with multiple agency initiatives when undergoing any compliance activity. FedRAMP will create overlays to the FedRAMP Security Assessment Framework that will allow for assessments to demonstrate compliance with FedRAMP but also other initiatives like HSPD-12, IPv6, TIC, CDM, etc.EngagementActive engagement with broader cybersecurity community._b76fd94e-bbaf-11e4-9f9c-c6ad57876c4e3.3.2Cybersecurity CommunityFedRAMP will continue to work with our counterparts across the government at NIST, DHS, and OMB and through government councils like the CIOC and ISIMC to ensure the program's work continues to align with other IT initiatives and contribute to a more cohesive cybersecurity framework across government.2014-12-172015-02-23https://cloud.cio.gov/sites/default/files/documents/files/FedRAMP%20Forward%202%20Year%20Priorities.pdfOwenAmburOwen.Ambur@verizon.net