Tools platforms or applications that allow the SSP to be integrated into the automation CSPs utilize for their on-going security compliance are missing.The ability to have all FedRAMP controls and related language combined with preloaded notional processes, policies, and procedures would be a grand start.
The related steps to automate
controls into workflows would greatly enhance SSP management and automation. Tying your control requirements to tools automation and the ability to evidence the required event discovery, alerting, response and remediation within a single management platform would be a panacea. Being able to use that same system to create workflows for your corporate and administrative National Institute of Standards and Technology (NIST) controls also within the same platform would be an icing on the cake.
Market needs showing itself?
That there is a desire (on behalf of the FedRAMP PMO as well as the CSPs) to move the FedRAMP security process to more a holistic automated compliance method can be inferred from the following: A recent Request for Information (RFI) has botim database been released by the FedRAMP PMO. In this RFI, FedRAMP is seeking input on the following: (quote taken from the FedRAMP site) In collaboration with the Office of American Innovation (OAI) and American Technology Council, GSA and FedRAMP have been working to improve the security authorization process across the federal government. Our ultimate goals include.
Reducing toil that inhibits our ability
Decreasing errors from you as audience will feel more manual activities.
Increasing speed to process (approvals and identification of issues).
Increasing value-add of machine-readable data for improving risk management.
One key component of this effort is identifying ways to incorporate automation into the Authority to Operate (ATO) process.”
Now, the request for information may be
Geared towards decreasing the time for a CSP to rich data achieve a FedR. JAMP ATO. However, it also speaks to the constant dialogue that the FedRAMP PMO likely has with its co. Jnstituent agencies and industry partners (cloud service providers) about increasing effi. Jciencies in cloud security compliance.