The Future of FedRAMP Compliance Management

The federal government continues to be one of the largest consumers of cloud services, spending $8.2 billion in FY 2021, up from $6.6 billion in 2020. This growth was in part accelerated by Executive Order (EO) 14028 Improving the Nation’s Cybersecurity, in response to the growing number of data breaches targeting government agencies and critical infrastructure that have been linked to poor security controls. EO 14028 tasked federal agencies with aggressive timelines to move to cloud environments with zero trust architecture.

The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.” - Joe Biden, Presidential Executive Order 14028, May 12, 2021

The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 as a way for federal agencies to evaluate the security of cloud service providers (CSPs) and cloud service offerings (CSOs), creating transparent standards and allowing agencies to leverage authorizations at scale. CSPs work with a third party assessment organization (3PAO) to become FedRAMP authorized for each CSO and to meet the requirement for continuous monitoring, and ideally in a consultancy capacity to support the journey to FedRAMP compliance and pursue an Authority to Operate (ATO).

In response to the EO, the Cybersecurity and Infrastructure Security Agency (CISA), the USD Digital Service, and FedRAMP released version 2.0 of the Cloud Security Technical Reference Architecture guide, updating security requirements to zero trust and re-iterating the importance of continuous monitoring to detect changes and inform risk-based decision making. In turn, many federal agencies are looking to share the responsibilities for continuous monitoring with CSPs and other member agencies to ensure the CSO continues to meet the evolving needs of today.

Source: FedRAMP.gov

The True Cost of Manual Assessment Processes

In most CSPs, gathering evidence and uploading the security deliverables to the assessment organization for authorization is a manual and time consuming process that relies heavily on paper, Excel, or digitized checklists—often a source of human error, not to mention the fact that this approach to documentation lacks true visibility into the changing nature of a dynamic system. Further, manual processes are a source of significant delays in the authorization process, delays which could result in the loss of a valuable government contract.

In response to the evolving risk landscape and the need to standardize and automate security controls, FedRAMP and NIST developed the Open Security Controls Assessment Language (OSCAL). The goal of OSCAL is to assist in reducing the workload associated with assessing, authorizing and continuously monitoring SCOs. OSCAL is the first step in the movement toward true continuous monitoring to reduce risk. However, OSCAL is a language, not an out-of-the-box solution.

EIT and RegScale Partner to Deliver a Continuous ATO Process

People spend all of their time just proving they’re compliant when they really should be focused on risk. Self-updating continuous ATO should be the state of the practice.” - Travis Howerton, Co-Founder & CTO RegScale

Emagine IT (EIT), a Type C FedRAMP 3PAO, and Regscale, have announced a partnership to streamline and automate FedRAMP assessments using RegScale’s automated, API-centric approach to compliance. EIT and RegScale have developed an automated assessment program for CSPs that is both powerful and simple to use, helping reduce risk and achieve continuous ATO—all with the click of a button.

Through this partnership, EIT customers have the potential to transform ATO assessments from a time consuming and costly once-a-year compliance activity to an on-demand tool for active risk management. Only a small handful of 3PAO assessors have the capability for technology-enabled assessment, and only RegScale provides the capability for easy, continuous risk management.

"Looking at tangential industries, accountants were doing taxes, using pencil and paper for decades. With the innovation that technology platforms brought to the table, they were able to rapidly modernize and deliver taxes at a much more rapid pace with the click of a button. And right now, the challenge is we're still doing compliance in paper and pencil. We have now reached an inflection point where technology can now be used to automate the submission of compliance documentation and achieve a continuous ATO. You're going to want to partner with 3PAOs that are embracing technology, not pencil and paper to dramatically accelerate your ATO process. And that's what this partnership between 3PAOs like EIT, and RegScale as a technology provider bring to the table, dramatically accelerating the ATO process and allowing you to submit your package at a click of a button and achieve a continuous ATO." - Anil Karmel, Co-Founder & CEO RegScale

The RegScale platform provides real-time visualization of compliance and operational risk to inform decision making and provide machine-readable authorization packages in OSCAL to streamline EIT FedRAMP assessments and tailored cybersecurity consultancy services. EIT has a consistent team of assessors who have advised dozens of CSPs on cybersecurity best practices and 3PAO assessments. In other words, EITs already proven advisory model has been elevated to now provide a technology-enabled assessment workflow that can reduce evidence collection and upload times by as much as 40% at no extra cost to the customer.

With EIT and RegScale, CSPs can automate the collection of security control implementation (SSP) information and enable automatic validation checks, all in a machine-readable format that can easily be vetted as part of a continuous ATO process. This partnership will enable compliance managers one of the most streamlined, cost-effective paths to accelerate authorization to operate, including:

• Real-time visualization of security and compliance
• Continuous ATO processes
• Powerful dashboard helps streamline compliance activities and reduce errors
• Automated submission of OSCAL documentation to EIT for 3PAO assessment
• Enterprise reporting for risk management
• Ensures consistency even if CSP compliance department experiences turnover

CSPs looking to sell to the federal government face increased competition from the FedRAMP marketplace, which currently has 299 FedRAMP Ready and Authorized CSPs, and another 82 actively seeking designation. Those CSPs who are able to quickly meet authorization requirements, and who are able to demonstrate continuous ATO processes, have a significant advantage in reducing risk for federal agencies and shortening the purchasing cycle, allowing the CSO to be used by federal agencies much sooner.

"For CSPs looking to become FedRAMP assessed, or who are in the early stages of working on a manual assessment, the transition to a technology-enabled assessor has never been easier and more necessary." Director of Cybersecurity & Compliance, Adam Chun