The Federal Risk and Authorization Management Program has released new and updated documents that aim to improve the continuous monitoring process.
Based on feedback from cloud service providers and the Joint Authorization Board review teams, the Federal Risk and Authorization Management Program released new documents on Jan. 31 to streamline and clarify the continuous monitoring program.
The need for such improvements had been apparent for some time. “We spend about 75 percent of our security budget in continuous monitoring in my office alone, and it is too much for any agency or organization to maintain,” FedRAMP Director Matt Goodrich said at a Dec. 8 Digital Government Institute event. “We are looking to reduce the burden of continuous monitoring -- not only in our office but for our vendors as well.”
The new and updated documents seek to improve the overall FedRAMP authorization process and clarify certain elements or expectations. They also create structure in some of the parts of the processes that CSPs and JAB reviewers may have interpreted differently.
The FedRAMP Continuous Monitoring Performance Management Guide replaces the Provisional Authority to Operate Management and Revocation guide. It explains what actions FedRAMP officials will take when a CSP fails to maintain an adequate risk management program and lays out escalation processes and procedures.
The Plan of Action and Milestones (POA&M) Completion Guide updates an existing document with new guidance on how to complete the POA&M processes. FedRAMP's updated POA&M template provides a structured framework for aggregating system vulnerabilities and deficiencies through security assessment and continuous monitoring efforts.
The Continuous Monitoring and Strategy Guide provides guidance on continuous monitoring and ongoing authorization to meet FedRAMP requirements for maintaining a security authorization.
FedRAMP also released new documents for Digital Identity Requirements and Transport Layer Security Requirements. The Digital Identity Requirements provides guidance on compliance with National Institute of Standards and Technology Special Publication 800-63 that emphasizes federation, new password guidance and options for easing restrictions on in-person identity validation. CSPs are required to implement the NIST requirements by July 1, 2018, for FedRAMP-authorized systems.
The Transport Layer Security Requirements summarize guidance on the use of cryptographic protocols that provide communications security over computer networks. CSPs must implement the TLS requirements by July 1, 2018.
All CSPs are also now required to include a form summarizing scans and risk adjustments as part of their monthly continuous monitoring submissions.