❄️

6/23 FAB Community Call: Brian Conrad Roundtable (1)

Format:

  • 60 min total
  • Brian + 1-3 participants asking the pre-canned questions
  • FCAB members only, not publicly advertised
  • 20ish minutes for audience follow up question
  • Not recorded
No questions in these areas:
  • Funding
  • Resourcing
  • Interpreting legislation
On June 26th, 2023, the Director for FedRAMP at the GSA, Brian Conrad participated in a 60-minute roundtable Q&A with the Federal Cloud Advisory Board. The following are the questions we asked, along with our notes on the responses.
Questions:
3PAO-related:

Regarding A2LA

A2LA was the only viable option at the start of the FedRAMP program regarding willingness to help. Brian was not a part of the team during that time but described a strong need for a qualification process for 3PAOs. Overall the current sentiment is that they have effectively determined baseline requirements for 3PAOs.
The long-term vision is one where the process centers around automation (e.g., OSCAL). Additionally, FedRAMP is working on an in-house GRC tool to ingest packages and provide automated validations.

How do PMO QA staff stay up-to-date on tech?

There is an attempt to do periodic training for reviewers so they stay updated on emerging tech and new gov policies (e.g., AI and its implications for federal data). Unfortunately, it’s not always as proactive as desired, given the need to maintain the operational tempo of core FedRAMP work.

What is the appetite for creating an open database of guidance the PMO gives during the review process?

The PMO attempts to write broad policies similar to how roads have guardrails without forcing you into a single narrow lane. The concern is that some guidance is provided, which is CSP-centric versus more broadly applicable. Ideally, the PMO wants to create an internal knowledge management system to track this thing while carefully considering CSP specifics.
Brian expressed a concern with a CSP-managed database in that he felt it could lead to a game of telephone because the source wouldn’t be authoritative given that it wouldn’t be GSA owned/operated.

Is a formal appeals process on the roadmap now that FedRAMP is statutory?

Depends. If it’s a JAB-sponsored CSP, then the escalation is through JAB tech representatives. If it’s an agency-sponsored CSP, then through the AO since the AO accepts risk for the CSP.
If it’s FedRAMP related, e.g., if you don’t report an incident and get a corrective action from PMO, then the appeals process for that is the PMO Director (Brian currently). The process is similar for 3PAOs.

How can the CSP escalate the issue if a PMO reviewer or 3PAO does not understand the technology or is technically wrong in an assessment?

There are two paths for a CSP:
  • A contractual relationship exists between the CSP and 3PAO. Performance issues ought to be stipulated in said contract.
  • The sooner you let PMO know, the better. PMO has its escalation procedures. A performance guide exists for 3PAOs. Remediation starts with a consultation and can escalate up to and including calling into question their FedRAMP recognition.
    • An intervening meeting can be brokered when practical.
    • The contract is ultimately king.

Are there any plans to work more closely with states, and what is the reasoning behind excluding states from the MAX folder?

States can’t access MAX because of the presence of federal data. The way PMO is funded and chartered, they are not allowed to work with state governments directly.

How does that impact burden or reciprocity?

There is no limitation on whom the CSPs can share the SSP, SAP, and SAR. That’s considered company IP. The PMO asks to let them know who you shared with. The line is where there is any federal data. For example, ConMon reports can’t be openly shared because of federal data.

Is there an update on a FedRAMP High secure document repository (OMB Max Replacement)?

Working toward a GRC tool for the FedRAMP PMO with a high authorization as a requisite. The interim solution for OMB Max is a To-be-system. FedRAMP hasn’t bolted down details quite yet.

With the proliferation of AI models, what is the current guidance on a FedRAMP CSO connecting to an external non-FedRAMP AI model? Under what circumstances would that be allowed, given that CSP commercial offerings may be integrated with AI models not owned or operated by the CSP, making it nearly impossible to get the AI model inside the security boundary?

  • FedRAMP is starting from the ground up to build initial capability and then evolving with the industry as possible. Brian sees AI as part of this, but tech maturity isn’t quite there.
  • The general rule is to refer to boundary guidance. Ideally, AI models would get authorized, so there isn’t a path for a CSP to get an ATO when using a 3rd party AI model that would ingest federal data.

What is the guidance around connecting FedRAMP moderate and FedRAMP high instances? Would this be allowed if CSPs or end-users could build controls and show that no high data ends in a moderate environment?

Brian thinks about this like with classified materials. If you have TS, you can look at Secret material. Technical controls must be discussed with JAB, but it’s viable.

Industry representation on FSCAC includes representing large CSP players (three hyper-scalers, one 3PAO, and one small CSP). What is the plan to include the voice of more SMB/typical CSPs? What about representation for CSPs without a current status?

The composition was spelled out legislation at most 15 members. This doesn’t preclude anyone from coming in front of the committee. You must contact them and let them know you want your voice heard.

How can we ensure consistency with the quality of the Agency review process to ensure that the review is cleaner once it gets to the PMO? Sometimes agencies provide a green light on an architectural element only to have it converted into a High POAM during PMO review.

  • The PMO has thought about this in the context of wanting to reduce time-to-authorization.
  • A primary issue is that the agency authorization process is done serially.
  • Presently the PMO looking for CSPs/packages to test out a more parallel process in terms of simultaneous PMO and Agency reviews.

State governments/agencies are asking to be within the FedRAMP authorization boundary. What is the best way to handle this request? Is it allowed?

  • Government community clouds are acceptable.
    • Must be identified as such in SSP
    • PMO will be concerned about where federal data will live and how it will be accessed.
    • FedRAMP PMO has no interest in State-level needs.
  • States can be freely given access to SSPs, SAPs, and SARs.

Will the in-house GRC system be FedRAMP High ATO'ed? Can you provide vendors with free or minimally paid tenancy within this GRC system to eliminate this hurdle for vendors?

Yes, it will have a High ATO, but Brian isn’t sure what legal mechanism would exist to collect fees or if vendors would even have access.

While the FedRAMP PMO may consider the SAP and SAR the vendor's proprietary info, if the CSP is also DISA/DoD IL4/5 authorized, DoD doesn't always feel the same way...

Brian describes it as a tale of two agencies. Only some agencies will have the same attitude. Brian isn’t sure how to normalize this. From a FedRAMP perspective, SAP/SAR/SSP is vendor IP.

The software supply chain EO alluded to FedRAMP alternatives. Are there any plans to map to other frameworks?

  • The challenge is 800-53 is very perspective while others aren’t.
  • FISMA is a hurdle that is federal law.
  • From Brian’s perspective, he asks how we [FedRAMP] can look at the organizational maturity of CSP coming into FedRAMP because they’ve done other work with other compliance bodies. Something like an organizational maturity matrix on compliance. SOC2 and Li-SaaS had a big gap, for example. It’s a challenge.
    • This is a two-edged sword. Even if you took all compliance bodies and dropped them on top of 800-53, there would still be FedRAMP-specific work.
      • The question is, are CSPs willing to invest without guaranteed ROI? Getting listed on the marketplace doesn’t guarantee market success. A business mind is required to determine ROI prospects. Lowering the burden is one thing, but the federal market dictates this.
    • With small businesses, FedRAMP is looking to see what can be done to get them in fast. FedRAMP wants to lower barriers but not the cyber barriers. Brian has a couple of ideas being explored (not public).

Would there be another model for getting started, e.g., 500k is cheap for FedRAMP but not affordable for small shops?

  • Some ideas are being kicked around. Where can we have self-attestation vs. 3PAO validation?
    • Scenario: If you reduce the work required from 3PAO, they will likely raise prices. Lowering barriers to entry is a complex thing to do. Looking at ways to eliminate sponsor req for small businesses.

Is there a working group around the automation process specifically?

No current automation working group. FedRAMP is going to need to consider for nuance to drop automation in.
The challenge is that federal requirements cant be waived (e.g., FISA). Brian encourages cloud providers to be aware of what’s required to avoid having to bolt on engineering efforts after the fact. The process often takes a long time because of re-engineering to meet federal requirements. There is a combination of all the nuances.

With an angle of trying to lower the barrier for small SaaS providers. There is an idea of a PaaS where apps can reside in those environments to reduce compliance burden. There are some folks already doing this with DoD. Is anything like this planned for FedRAMP or other agencies are thinking about?

Brian would leave that to the industry to determine that model. There are already some examples of this in the market.