The challenge of continuous monitoring in the cloud
- By Sara Friedman
The continuous monitoring required to maintain cloud security can eat up a supersized portion of time and money.
Even after a cloud service provider is issued authority to operate under the Federal Risk and Authorization Management Program, the compliance work doesn’t stop for agencies, vendors or FedRAMP officials.
“We spend about 75 percent of our security budget in continuous monitoring in my office alone, and it is too much for any agency or organization to maintain,” FedRAMP Director Matt Goodrich said at a Dec. 7 Digital Government Institute Cloud Computing Conference. “We are looking to reduce the burden of continuous monitoring -- not only in our office but for our vendors as well.”
FedRAMP wants to find ways to reduce the effort dedicated to continuous monitoring, Goodrich said, and is meeting with vendors “to understand how [CSPs] are meeting [the requirements] and change the way that we look at that based on their capabilities.” Automation of the risk reduction process is a possibility, he said.
Continuous monitoring involves "periodic reporting for scanning, … change management and incident response,” he said. “Each of those has unique elements in it, so we are looking to address portions of it rather than doing a full-scale redesign all at once.”
FedRAMP will consider the abilities of smaller providers that might not have the resources to automate their FedRAMP authorizations. Goodrich said the likelihood of changing authorization requirements is “not high,” but the standards to meet the requirements will change for providers with “different types of capabilities."
While Goodrich said he believes the continuous monitoring process “works well now,” improvements could give his office more time and energy to devote to granting CSPs more FedRAMP authorizations.
Reducing the continuous monitoring burden is the latest effort by FedRAMP to streamline the program. This year, the program rolled out FedRAMP Connect, a program that prioritizes authorizations based on demand, and the FedRAMP Tailored baseline for low-impact or low-risk software-as-a-service solutions. An Agency Authorization Playbook distills five years of experience from helping agencies with issuing an authority to operate, offering step-by-step guidance and best practices.
FedRAMP is also in the process of helping agencies clarify inconsistent or unclear language in their cloud services contracts and is asking industry for examples of good and bad contracting language.