FedRAMP Baseline Transition Points to OSCAL-Native Tools

Originally published by RegScale and MeriTalk.

Until recently, FedRAMP (Federal Risk and Authorization Management Program) certification was an Executive Branch mandate, but now that it has become law, it legally stands between cloud service providers (CSPs) and government revenue.

Further impacting the landscape is FedRAMP’s approval earlier this year of Rev. 5 baselines that were updated to correspond with the latest guidance from the National Institute of Standards and Technology (NIST).

According to the FedRAMP marketplace, cloud service providers including Microsoft, Amazon Web Services, and Salesforce have many existing FedRAMP authorizations at moderate and high impact levels. These authorizations, however, date back years, and for these already-certified CSPs, they are required to move from Rev. 4 to Rev. 5 Baselines.

Update to FedRAMP Rev. 5 Baselines

The FedRAMP update to the baselines is based on the National Institute of Standards and Technology (NIST) Special Publication SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5.

While increasing security and privacy controls is important to address the changing threat landscape, many stakeholders are concerned about the cost of FedRAMP compliance. It can be a significant expense, particularly for smaller CSPs, making it difficult for federal agencies to find affordable cloud solutions. Compounding the challenge, the authorization process can be slow, further delaying the adoption of cloud services to meet the government’s mission-critical needs.

As organizations look at updating to FedRAMP Rev. 5 Baselines, many CSPs must make adjustments that will take time to implement, particularly for those with unique security requirements or those seeking to use cloud services in new ways to meet the changing demands of users.

A Quicker and More Cost-Efficient Transition Process

NIST developed the Open Security Controls Assessment Language (OSCAL) to provide machine-readable representations of control catalogs and baselines, system security plans, and assessment plans and results – essentially covering all aspects of the Risk Management Framework (RMF). The goal is to simplify these transitions by shifting to an Authority to Operate (ATO) as-code approach for compliance tools.

Instead of writing compliance documents in Microsoft Word and Excel Spreadsheets – a slow, manual process that does not reflect real-time changes – OSCAL-based tools enable automation, helping to address cost and accuracy concerns by accelerating the process and minimizing manual work and errors.

Authorization to Operate (ATO) Tools

An ATO is a formal decision made by a senior government official to authorize the operation of an information system on behalf of a federal agency. The agency requires an ATO to connect the CSP to the government network, while the CSP needs FedRAMP to approve the security of the cloud environment. This results in a double-edged sword for the government to enable technology in cloud environments because while it ensures that both agencies and CSPs have endeavored to secure both systems and data, it also adds complexity and bureaucracy to the cloud adoption process.

ATO tools are software applications that help automate the ATO process, saving time and resources while ensuring a consistent and repeatable certification process. These tools help streamline the assessment, accreditation, and authorization steps of the ATO process by automating many of the tasks involved in FedRAMP certification, including gathering evidence, preparing documentation, and conducting assessments.

Additionally, ATO tools provide insights into a cloud environment’s security posture, helping agencies identify and mitigate security risks. These tools also improve communication between CSPs and federal agencies, enabling them to resolve issues that emerge during certification more quickly, reducing the burden and cost of FedRAMP certifications now and in the future.

Simplify FedRAMP Certification

To address many of the concerns stakeholders have related to FedRAMP certification, CSPs should consider solutions built on OSCAL. Using OSCAL-native tools, CSPs can get to ATO faster using code and submitting packages for authorization in a machine-readable format. This enables CSPs to resolve issues early on rather than going back and forth during the authorization process and allows for automated package reviews to accelerate ATO approvals.

Considering the significant costs involved in both becoming FedRAMP certified and requirements to transition from Rev. 4 to Rev. 5 baselines, this latest revision should be an impetus for organizations to seriously consider investing in OSCAL-native tools to improve the ATO process. The threat and technology landscape continues to change, and organizations can expect future revisions and additional overlays on FedRAMP Rev. 5 baselines based on each agency’s unique requirements, particularly the Department of Defense. Adopting OSCAL-native tools can help transform the FedRAMP certification from a massive undertaking in terms of cost, time, and effort into an automated and streamlined process.