FedRAMP Automates Security Authorization Packages Checking Process
The General Services Administration is set to release XML-automated validations allowing vendors to check their security authorization packages for completeness before submitting them to the Federal Risk and Authorization Management Program, news reports revealed. FedRAMP used Schematron’s rule-based validation for making assertions against XML to automate the process and wants vendors to self-test their packages to ensure all the required data is in place.
The validation will take place before FedRAMP managers decide whether or not to issue a cloud product an authority to operate. More easily hackable legacy systems stay in operation longer because agencies cannot quickly purchase cloud products due to several issues. This is the reason why vendors have long wanted FedRAMP to automate parts of its authorization process, FedScoop reported Tuesday.
Zach Baldwin, automation lead within the FedRAMP program management office, said his office wants vendors to implement the validations that allow them to reinsert new files with more complex checks. FedRAMP is also considering an agile ATO, a critical set of controls vendors can implement quickly while saving lesser ones for later, he added.
Baldwin revealed that the PMO recently partnered with the Department of Homeland Security’s .govCAR to score vendors’ security architectures against cyberthreat heat maps. Updated scores will be released in the near future and they can be used to create a risk profile as agencies make cloud service purchasing decisions, the official explained.
Baldwin said automation would not be possible without FedRAMP’s work with the National Institute of Standards and Technology to create the standardized Open Security Controls Assessment Language for authorization packages.
Category: Digital Modernization
Tags: automation digital modernization Federal Risk and Authorization Management Program FedRAMP FedScoop General Services Administration GSA Schematron Zach Baldwin