Last month, the federal government announced a major overhaul of the Federal Risk and Authorization Management Program (“FedRAMP”) called “FedRAMP 20x” (we discussed the initiative here). FedRAMP 20x is moving forward fast – with new authorizations, community engagement efforts, standards documents, and the Phase One pilot program. (More information about the Phase One pilot program is available here.)
Of particular note, there are two draft standards for public comment: (1) the Significant Change Notification Standard, which will replace the current standard with a new process that allows cloud service providers to make changes without prior approval from the government; and (2) the Minimum Assessment Scope Standard, which will replace the current Authorization Boundary guidance materials (previously summarized here). The public comment period for both standards currently is open until May 25, 2025.
Significant Change Notification Standard
Currently, the significant change process requires cloud service providers (“CSPs”) to provide 30 days’ notice to the authorizing official requesting approval prior to implementing a “significant change.” Examples of a “significant change” in current FedRAMP guidance include adding new technology or external services, removing system components or service offerings, and adding or removing security controls, among others. If a CSP fails to submit the required significant change request to the authorizing agency official for review and approval, the authorizing agency can suspend or revoke the authorization.
The draft Significant Change Notification Standard acknowledges the burden and inefficiencies associated with the existing process and will permit CSPs to implement certain changes that are in the best interest of agency customers without obtaining prior approval. Below are key points from the updated Significant Change Notification Standard:
- Tiered Notification Framework: The Standard introduces a tiered framework with new definitions describing the types of changes a CSP may make to its FedRAMP environment.
- “Adaptive change” means any significant change that adjusts existing components or functionality of the cloud service offering. The Standard notes this is the least impactful type of significant change. Adaptive changes, which are characterized as significant but routine, may be made as appropriate without consultation with the CSP’s federal agency customers.
- “Transformative change” means any significant change that adds, replaces, or removes major components and functionality of the cloud service offering. Transformative changes, which are characterized as major functionality changes, require the CSP to consult with agency customers in advance. The Standard provides proposed time frames for this consultation (e.g., CSP must provide notice to agency customers at least 14 calendar days in advance of the monthly monitoring meeting to first discuss planned transformative changes).
- “Impact categorization change” means any significant change that is likely to increase or decrease the impact level rating for the cloud service (e.g., from Low to Moderate or from High to Moderate). Impact categorization changes require reauthorization and are the most impactful type of significant change.
- Notification Information: The updated standard provides a list of required information to be submitted by the CSP depending on the type of significant change. For Adaptive changes, CSPs must submit the date of the change, a summary of the steps taken to verify and assess controls after implementation, and a summary of any new risks identified and any Plan of Action or Milestones (“POA&Ms”) that resulted from the change. The required information for Transformative changes expands on this list and requires information regarding whether the planned change is “opt in” and how to opt in if applicable, details on service components and controls affected, and a copy of the security assessment plan.
Comments may be submitted using the discussion thread, the public comment form, or by emailing [email protected] with the subject “RFC-0007 Feedback.”
Minimum Assessment Scope Standard
The draft Minimum Assessment Scope Standard will take the place of the current FedRAMP Boundary Policy / Boundary Guidance. The Minimum Assessment Scope Standard seeks to replace the current FedRAMP authorization boundary approach with “a simple and reasonable test” for determining the information and resources to be included in the FedRAMP assessment. By removing unnecessary detail or specifics, the new approach aims to help FedRAMP move from compliance-based decision making to security-based decision making and assessment.
The streamlined approach provides that the Minimum Assessment Scope includes all information resources managed by a CSP and its cloud service offering that: (1) handle federal information; and/or (2) likely impact confidentiality, integrity, or availability of federal information. The Minimum Assessment Scope standard provides six clarifications on how to apply the Minimum Assessment Scope:
- Information resources and metadata that do not meet condition (1) or (2) are outside the Minimum Assessment Scope.
- If the cloud service uses information resources from other FedRAMP authorized or certified services then only the configuration and usage of those information resources is included in the Minimum Assessment Scope.
- If the cloud service uses information resources from other services that are not FedRAMP authorized or certified then all aspects of those services where (1) or (2) applies are included in the Minimum Assessment Scope.
- Software and other such products (including agents and clients) that are installed, managed, and operated on agency information systems are outside the scope of FedRAMP. Any information resources in the cloud service that control or communicate with such products are within the Minimum Assessment Scope if (1) or (2) applies.
- Information resources of the service offering may vary by impact level as appropriate to the level of information handled or impacted by the information resource so long as this is clearly identified and documented.
- Stakeholders should review best practices and technical assistance provided separately by FedRAMP for help with applying the Minimum Assessment Scope as needed.
The new standard represents a marked change in approach, particularly it seems with respect to metadata or indirect data, which we expect may be a hot topic during the comment period. Comments may be submitted using the discussion thread, the public comment form, or by emailing [email protected] with the subject “RFC-0005 Feedback.”