An article in FCW, FedRAMP Ready or FedRAMP Irrelevant? examined the current FedRAMP authorization environment and how delays are exacerbated when the process has be repeated by multiple agencies for an already proven solution.
It noted … No matter how many improvements are made to the FedRAMP process, the laudable goal of ensuring that federal agencies have rapid access to secure commercial cloud solutions will not be achieved if agencies don’t maximize their reliance on reciprocity — that is, relying on another agency’s ATO or provisional authorization to quickly determine the viability of a cloud solution.
It emphasized that a lack of trust that still exists between agencies continues to severely hamper the government’s access to new technologies and concluded by saying… agencies will only achieve their risk management goals if they can measure the outcomes that matter and begin to trust the work of another agency’s cybersecurity professionals.
For several years, Waverley Labs has advocated that measurement is not enough. The advent of digital risk management frameworks includes advancements in monitoring and measurement that can now provide true quantification of risk from a business perspective.
The problem, or opportunity, lies in a gap in how the FedRAMP assessments are performed which makes them very complex and, as a result, much more time consuming than necessary. We want FedRAMP to consider our recommendation to establish a sound digital risk management (DRM) and mitigation process that would fill this gap between the controls and security framework defined by NIST that would greatly reduce complexity and significantly shorten time for assessments.
Key to an effective DRM program is the ability to define risk failure scenarios that help to identify risks to systems associated with these failure scenarios. As it stands today, identifying risks at the system level is based upon vulnerability scans making it difficult to prioritize risks from those vulnerabilities.
By prioritizing risk from failure, organizations can easily select the controls that best apply to preventing the failures from occurring. It can also help to define and prioritize the implementation of the controls that have been identified thereby making the job easier for the auditor.
When it comes to continuous monitoring (a key step in the risk management process that enables enterprise risk managers to also manage digital risk) that sets policy and guidance and priorities for all systems (critical and non-critical) greatly enhances the ability of an organization to easily work with the auditors as there is an overarching process and guidance already established within the CSP.
Waverley Labs is very interested and would welcome the opportunity to discuss this with FedRAMP and the Cloud Security Alliance (CSA) to develop and recommend a list of controls that would be monitored and assessed “automatically” to streamline the FedRAMP auditing process. We are also developing outcome-based monitoring solutions that enable the quantification of failure scenarios that enable the creation of digital risk scorecards….the next step in the evolution of digital risk management solutions.
Below is a diagram that shows where and how digital risk management could close the gaps to ensure a smooth FedRAMP auditing process while at the same time complying with NIST guidelines.
Watch this blog for more info.