In September 2024, the Federal Risk and Authorization Management Program (FedRAMP) proposed updates addressing federal cryptography standards and performance metrics. These developments mark pivotal steps in modernizing the U.S. government’s cloud security and compliance ecosystem. Here’s what these updates mean for cloud service providers (CSPs) and public sector organizations.
Redefining Federal Cryptography Standards
The proposed updates to how FedRAMP applies federal cryptography standards introduce a risk-based approach that balances compliance with the practical needs of hyperscale cloud environments.
Key highlights include:
- Flexibility with Cryptographic Modules: FedRAMP recognizes that validated cryptographic modules (e.g., FIPS 140) may not always be the most secure option due to potential vulnerabilities. By allowing justified use of non-validated modules, FedRAMP ensures CSPs can adapt to dynamic threat landscapes without compromising security.
- Dynamic Security Practices: Regular re-evaluations of cryptographic practices align with the fast-evolving nature of cybersecurity threats and technologies.
- Operational Feasibility: The Cloud Service Providers Advisory Board (CSP-AB) raised concerns about the feasibility of exhaustive cryptographic documentation in hyperscale environments. This feedback highlights the need for scalable solutions that don’t impose undue burdens on CSPs.
The proposed January 2025 implementation timeline offers CSPs sufficient runway to adapt their practices. However, unresolved issues, such as delays in cryptographic module validation, need immediate attention to ensure these policies drive meaningful progress.
Read our response to the proposed policy update on the application of federal cryptography standards:
Refining FedRAMP’s Key Performance Metrics
FedRAMP’s review of its performance metrics aims to enhance the authorization process for cloud service offerings (CSOs). The CSP-AB’s feedback reflects a collective focus on making the program more agile and efficient while maintaining its “security-first” approach.
Highlights from the metrics discussion include:
- Increased Transparency: The CSP-AB encourages tracking and publishing data on System Change Requests (SCRs) and authorization backlogs. This transparency will help identify bottlenecks and improve communication with stakeholders.
- Resource-Centric Metrics: Adding metrics on full-time equivalents (FTEs) involved in authorization processes provides a clearer picture of the resource demands on CSPs, beyond just cost and time.
- Strengthening Reuse: Measuring both direct and indirect reuse of authorizations offers valuable insights into the adoption and efficiency of reuse within federal agencies. Setting targets for agencies to achieve reuse annually could further incentivize efficiency.
- Comprehensive Cost Metrics: Expanding metrics to account for the design and implementation costs of controls ensures a more holistic understanding of compliance investments.
Read our response to the Key Performance Metrics:
Path Forward
The proposed changes reflect FedRAMP’s commitment to streamlining processes and enabling secure cloud adoption. As the CSP-AB emphasized, agility will be key to addressing immediate challenges, such as backlog reductions, while maintaining a forward-looking approach to long-term improvements.
These updates also underline the collaborative relationship between FedRAMP and the CSP-AB. By incorporating feedback from industry leaders, FedRAMP is poised to strengthen its position as a global benchmark for cloud security and compliance.
Conclusion
FedRAMP’s evolving policies on cryptography and performance metrics highlight its dedication to balancing security, efficiency, and operational practicality. These advancements not only benefit CSPs but also reinforce the government’s ability to deliver secure, scalable digital services to citizens. As we approach 2025, the cloud community must continue to engage in shaping these policies for a safer digital future.
Call to Action: Stay updated on FedRAMP’s policy changes and explore how your organization can align with these evolving standards. Together, we can drive innovation and security in the public sector cloud ecosystem.
