Deadlines have been set. Will you be ready?
This past year has been pivotal for FedRAMP, the thirteen-year-old program that resides within the General Services Administration (GSA). Last October, the OMB released a draft memo that outlined an updated vision for the program, which includes guidance on topics ranging from changes in the authorization structure for cloud service providers (CSPs) to the importance of leveraging automation for FedRAMP processes whenever possible. Last March, GSA released a FedRAMP Program Roadmap, which outlines GSA and FedRAMP’s strategic goals and provides a high-level timeline for program milestones.
Over the summer, a final version of the OMB memo was released—including key deadlines for government agencies. Some of these deadlines will also impact CSPs seeking to reach FedRAMP authorization and those who want to maintain authorizations moving forward. These deadlines have to do with the preparation and submission of most FedRAMP documentation in machine-readable format.
Currently, the machine-readable format used by FedRAMP is the Open Security Controls Assessment Language or OSCAL. OSCAL is “…applied to the publication, implementation, and assessment of security controls” and is meant to help streamline and automate the authorization process.
Government agencies have a window of 24 months
According to this new OMB memo, government agencies have 24 months from the date the memo was issued (July 25, 2024) to ensure agency governance, risk, and compliance (GRC) tools and system-inventory tools can both ingest and produce machine-readable authorization and continuous monitoring artifacts.
In other words, government agencies need to be prepared to accept FedRAMP documentation in OSCAL and produce documentation formatted in OSCAL that will be submitted to FedRAMP under the program. This new requirement is being put into place in an effort to facilitate automation.
An 18-month window for GSA
The FedRAMP Authorization Act, passed in 2022, requires GSA to—as stated in the new OMB memo—“…establish a means for the automation of security assessments and reviews.” This act is the groundwork for the portion of the memo that specifies an 18-month window for GSA to continue to build upon that work to specifically receive FedRAMP-related authorization and continuous monitoring artifacts through “automated, machine-readable means” (although the memo clarifies that this should be “to the extent possible”).
However, this window of time doesn’t affect only GSA. By implication, if OMB requires GSA to ensure they have the processes in place to receive FedRAMP-related artifacts in the next 18 months, this also means that CSPs will need to submit their required FedRAMP documentation in OSCAL. Presumably, both CSPs seeking FedRAMP authorization fall under this requirement, as well as CSPs who have already achieved authorization and who are now in the “ConMon”—or continuous monitoring phase—to maintain their authorization moving forward.
Automation is the key to future success for both government and industry
Clearly, the OMB memo is positioning automation as the key to the future success of the FedRAMP program for both government agencies and CSPs. As stated at the beginning of Section 5 of the memo: “As part of a technology-forward program optimized for efficiency and consistency, FedRAMP processes should be automated wherever possible to support the rapid delivery of services and improve security outcomes.” OSCAL (developed by NIST in collaboration with industry) is currently the key to that automation.
With Xacta, CSPs can easily generate FedRAMP documentation in OSCAL format
Several years ago, the team behind Xacta built Xacta for FedRAMP with the vision of creating a purpose-built solution that automates and streamlines the key steps in the FedRAMP process. Since then, Telos has been on the frontlines of the OSCAL transition. Xacta for FedRAMP will both ingest data in OSCAL format and export it. CSPs leveraging Xacta for their FedRAMP submissions can easily meet GSA’s upcoming requirements.
The benefits of using Xacta for FedRAMP extend beyond OSCAL compatibility. Teams leveraging Xacta to prepare their FedRAMP submissions can speed up the process by creating a common working environment for all participants. Additionally, Xacta for FedRAMP allows teams to streamline gathering and managing security-related data.
Once authorization is granted and the continuous monitoring process is underway, Xacta for FedRAMP lets you automate the ingest of security scans into your FedRAMP package, leverage Xacta’s predictive mapping to automate control association for technical scan findings that are not currently associated with a FedRAMP control, automatically create POAMs for failed tests and track remediations, and much more.
Xacta: The easy choice for government agencies seeking to comply with the deadlines set by OMB
As noted above, the clock is already ticking for government entities involved in the FedRAMP process.
Deployed at some of the world’s most security-conscious organizations, Xacta enables you to continuously manage your cyber risk and security compliance initiatives through the power of automation. It is the solution of choice for managing complex cyber risk environments and compliance processes in the cloud, on-premises, and in hybrid environments.
Xacta, therefore, is well-positioned to be the platform of choice for government agencies looking for a solution that can both ingest and produce OSCAL as part of the FedRAMP authorization process. This supports the OMB’s broader goal of automating FedRAMP processes for efficiency and consistency.
A look ahead
The vision OMB has for the FedRAMP program moving forward is exciting. Here at Telos, the team behind Xacta has seen firsthand how automation can speed and streamline security compliance activities in even the most complex environments. A more automated FedRAMP program will mean that government agencies will be able to innovate faster and execute mission-critical functions more efficiently than ever before. CSPs will also benefit from these changes, as government agencies’ adoption of secure cloud technologies will likely continue to grow.