March 26, 2025
I like sailboats. They are a time-honored method for crossing a large body of water. Tried and true! Elegant!
I also like motorboats. While their engine adds complexity, they are more maneuverable and allow you to travel faster. Sometimes you need speed and maneuverability!
On Monday, Director Pete Waterman announced changes to the Federal Risk and Authorization Management Program (FedRAMP). His message was to continue sailing as usual, but plan to add an engine.
Highlights:
- Cloud Service Providers (CSPs) and Agencies continue to use the FedRAMP Agency authorization path
- The FedRAMP PMO will no longer adjudicate packages
- CSPs need to generate automated “signals” that continuously demonstrate compliance.
- Third Party Assessment Organizations (3PAOs) continue to perform initial and annual assessments
- Controls monitored with automated signals will be descoped.
- System Security Plans (SSPs) are being de-emphasized, although the extent is unclear.
Continue Using the FedRAMP Agency Authorization Path
The existing FedRAMP Agency path remains the only available path for the foreseeable future. CSPs and Agencies should continue to use this path as usual; however, expect reduced involvement from the FedRAMP PMO. The announced changes include:
- Holding pre-authorization kickoff meetings only when the PMO sees something unusual. This will allow new CSPs to more quickly achieve a formally “In Process” FedRAMP Marketplace designation.
- Skipping the PMO’s package adjudication. This will allow CPSs to more quickly achieve an “Authorized” designation in the FedRAMP Marketplace.
So don’t change your plans. If you are considering or already on the Agency path, continue as usual and expect to achieve authorization a bit faster with reduced scrutiny.
While initial authorizations may occur faster and with less scrutiny, CSPs and 3PAOs should brace for increased scrutiny and push-back from individual agencies as they compensate for the loss of that critical PMO quality check.
Automated “Signals” Demonstrate Continued Compliance.
You may have heard this called continuous assessment, continuous compliance, or continuous authorization to operate (cATO). Once a system’s configuration is known to satisfy a security control, that configuration can be continuously monitored to ensure it doesn’t change. The monitoring telemetry is aggregated in a dashboard, that can help an oversight body know the system remains in compliance.
This is a natural evolution for continuous monitoring practices, and it is great to see the PMO leaning into it! Don’t expect to see changes overnight. There are challenges to adopting this approach, plus the PMO is putting it on industry to solve those challenges and bring forth standards.
The NIST Open Security Controls Assessment Language (OSCAL) was developed with this use case in mind, and there are no other open standards for this use case. Industry groups such as the OSCAL Foundation are already expressing interest in solving this, and are well-positioned to do so with several FedRAMP CSPs as Foundation members.
Now is the time for CSPs to develop a strategy for OSCAL-based compliance monitoring. Now is also the time for Federal agencies to develop a strategy for OSCAL ingestion and enterprise dashboards.
Initial and Annual Assessments.
In terms of FedRAMP Process steps, nothing changes here. CSPs will continue to engage 3PAOs at the same point in the process for initial and annual assessments.
The only formal change announced by the FedRAMP PMO is that as CSPs bring controls under continuous compliance monitoring described above, those controls will be descoped from assessments. In other words, once the PMO can see that a control remains compliant in real-time, it will no longer be necessary for an assessor to verify that control.
There will always be a need for periodic re-assessment as many organizational controls cannot be monitored via automation. The goal is to monitor as much as possible and reduce the assessment scope to only the controls that cannot be monitored.
While not called out by the PMO, CSPs should also expect some uncertainty from 3PAOs in the short term and less consistency from them in the long term. 3PAOs have always adjusted their processes and focus areas based on the pattern of enforcement they experienced from the FedRAMP PMO. Without that consistent enforcement mechanism, expect to see 3PAOs relax scrutiny in certain areas, and expect to see less consistency over time.
Aspirational De-Emphasis of System Security Plans (SSPs)
Monday’s announcement included the goal of reducing SSP fatigue, which is music to our ears! CSPs should view these statements as aspirational. The PMO is trying to socialize this goal early.
Currently, the SSP is the basis for assessment planning, assessment reporting and package adjudication, not to mention being a key part of the NIST Risk Management Framework and required by leveraging agencies. For OSCAL-based assessment packages, SSP content is required for SAP, SAR, and POA&M expression.
Until the PMO provides clear and specific guidance, CSPs should continue to author and maintain their SSPs as usual. Better yet, consider automating the collection and assembly of SSP content like components, inventory and ports/protocols/services. Now is a great time to move toward an OSCAL-based SSP.
Drivers
You may be wondering what is driving these changes. There are several factors:
- The FedRAMP PMO lost its contacted support.
- The FedRAMP PMO is under pressure to eliminate bottlenecks and backlogs.
Loss of Contracted Support
All three PMO support contracts were defunded during the past 45 days. When the Noblis contract funds expire on March 31, the PMO will have only government staff. This represents more than a 75% reduction in former staffing levels and eliminates the staff that performed package adjudication over the past decade.
Bottlenecks and Backlogs
With the number of FedRAMP authorizations approaching 400, the current process wasn’t scalable, and backlogs were becoming unavoidable. When faced with ever-growing demand organizations can increase staff, automate, or modify requirements to reduce their involvement. The recent loss of contracted support becomes a forcing function for the PMO.
Summary
The responsibilities for FedRAMP stakeholders remain the same. There may be some short-term benefits in the form of expedited ’s “FedRAMP In-Process” and “FedRAMP Authorized” designations on the Marketplace.
CSPs should formulate strategies for gathering and delivering continuous compliance signals using OSCAL. Agencies should formulate strategies for receiving these signals from all leveraged CSOs into dashboard tools.
Assessors should expect more latitude coupled with less clarity as to focus topics and levels of scrutiny. Over time, assessors should expect a reduced level of effort as CSPs move controls under continuous compliance monitoring capabilities.
One thing is clear, the requirement for automation is fast approaching.
For now, set sails and stay the course while preparing to move faster!