FSCAC Top Recommendations by Member

Created

First Name

Last Name

CSP Authorization Path Recommendations

ConMon Process Recommendations

Automation Initiatives Recommendations

Collaboration powered by Smartsheet | Report Abuse

01/16/24 7:48 AM

Nauman

Ansari

B1. Establish means of the FedRAMP PMO for tracking type/details of quality issues of security packages
B2. Publish (on a quarterly cadence) the issues that they have identified or been discovered, and where possible, what was or will be done to address the identified or discovered issue, to increase transparency and lead to quality improvements

A1. Establish an exploratory committee to create an open source community around compliance so we can achieve automation in a reasonable timescale
B1. Review the current set of requirements, controls and deliverables to determine if they are still necessary. Identify opportunities for descoping things that are less relevant to security of cloud offerings...
E1. Fully fund an award ( if necessary, multi-year) for an automation support contract to support the agencies as well as the FedRAMP PMO

01/12/24 1:14 PM

Ann

Lewis

A2. Review and establish FedRAMP control inheritance, available for CSP/Agency review via publicly available crossworks from other control reviews within the US government or other authoritative and accepted sources (ISO, PCI, etc.) for reciprocity
B4. Ensure security consistency and reuse of acceptance by expanding the CSO security package documentation to include defining baselines secure configurations and deployments guide
C3. Provide increased transparency into the queue and alignment with SLOs so that CSPs can see exactly where they are in the queue and how long they’ve been or are expected to remain in that position
D2. Set and measure service level objectives (SLOs) for each phase of the authorization process, regardless of which pathway is chosen (i.e. those mentioned in and created in compliance with Section IV); establish SLOs for response windows
E1. Establish a matrix of fully inherited hybrid responsibilities for SaaS and develop a SaaS assessment process that utilizes existing assessment processes to the extent possible
E4. Set a cadence for template and documentation updates from FedRAMP that have established public feedback timelines, including updates to control interpretations or expectations

A1. Implement an integrated GRC tool for agency and FR authorizations that can ingest common annual assessment and change request data for integrated risk picture and “single pane of glass” view for all agencies utilizing the CSO
A2. Develop an agency-agnostic common reference architecture for an integrated EGRC ecosystem with automated update of customer responsibilities and related CSP that provides guidance on which metrics and automation outputs will be used for each control
B3. Develop additional clarity around when and how public notifications of identified risks are made and ensure public disclosure, where necessary, accounts for making known exploitable security risks

B1. Review the current set of requirements, controls and deliverables to determine if they are still necessary. Identify opportunities for descoping things that are less relevant to security of cloud offerings...
B3. Assess FedRAMP baseline security controls to determine which can be automated or inherited from other authorization programs
C1. Accelerate ingestion of FedRAMP data to existing solutions like CDM and vice versa, like threat intel from FIPs to the GRC

01/12/24 11:49 AM

Joshua

Cohen

A1. Outsource a standardized the review process by sharing a machine readable the PMO checklist to CSP/Agency who can attest (i.e., limit the PMO review and oversight)
A2. Review and establish FedRAMP control inheritance, available for CSP/Agency review via publicly available crossworks from other control reviews within the US government or other authoritative and accepted sources (ISO, PCI, etc.) for reciprocity
A3. Allocate resources to the FedRAMP program and relevant teams within individual agencies or departments to be able to implement any and all recommendations
B4. Ensure security consistency and reuse of acceptance by expanding the CSO security package documentation to include defining baselines secure configurations and deployments guide
C2. Establish a more agile PMO review process; provide incremental iterative feedback on security packages to CSPs to keep the process moving and eliminate waiting in queue for a full review
C4. Generate evidence/artifacts for authorization in an automated fashion, using OSCAL or a similar industry-adopted open standard, to create a clearer understanding of risks for using a cloud service offering
C5. Develop an agency review process whereby compliant agency authorizations move to the marketplace without additional review

A1. Implement an integrated GRC tool for agency and FR authorizations that can ingest common annual assessment and change request data for integrated risk picture and “single pane of glass” view for all agencies utilizing the CSO
A3. Centralize all of ConMon for agency authorizations for FedRAMP
B2. Integrate ConMon into OSCAL/EGRC work

01/12/24 11:30 AM

John

Greenstein

A1. Outsource a standardized the review process by sharing a machine readable the PMO checklist to CSP/Agency who can attest (i.e., limit the PMO review and oversight)
A2. Review and establish FedRAMP control inheritance, available for CSP/Agency review via publicly available crossworks from other control reviews within the US government or other authoritative and accepted sources (ISO, PCI, etc.) for reciprocity
C3. Provide increased transparency into the queue and alignment with SLOs so that CSPs can see exactly where they are in the queue and how long they’ve been or are expected to remain in that position
E3. Establish a FedRAMP mentorship sherpa program to provide opportunities for experienced agencies to train and support those who have not gone through the process
F1. Increase engagement with CSPs to increase knowledge exchange and improve the overall process
G1. Establish a minimum standard of requirements for CSPs that are non-negotiable for Authorization and cannot be met with alternative implementations.
G2. Establish alternative implementation exceptions whereby controls/guidance are met in a way that is different than common CSP implementations, yet still secure and reviewed by the 3PAO.

C1. Evaluate and adjust the equitable sharing of resources. As reported by the JAB, 80% is going to ConMon (monthly, annual, and change requests) and 20% to initial authorizations; this split is creating issues with CSPs
D1. Identify and implement interim solutions for improving ConMon until new automation capabilities are available (e.g., redefine requirements for monthly vulnerability scans)
D4. Provide CSPs with a roadmap for overall prioritization of controls, timelines for when the data can be consumed by the authorizing body, and any intermediate and final deadlines by which the CSPs may have to make conforming changes

A3. Coordinate with FedRAMP, 3PAO, industry stakeholders to identify lower risk controls that can be automated and once we are able to focus on the higher risk to lower timeline and cost of assessment and authorization
A4. Incentivize OSCAL adoption and review areas right for automation in the workflow. Setup a work group to incentivize industry to participate in developing, maintaining, and adopting automation technologies
B1. Review the current set of requirements, controls and deliverables to determine if they are still necessary. Identify opportunities for descoping things that are less relevant to security of cloud offerings...
B3. Assess FedRAMP baseline security controls to determine which can be automated or inherited from other authorization programs
C2. Pilot implementation of OSCAL

01/12/24 10:58 AM

Bill

Hunt

A2. Review and establish FedRAMP control inheritance, available for CSP/Agency review via publicly available crossworks from other control reviews within the US government or other authoritative and accepted sources (ISO, PCI, etc.) for reciprocity
A3. Allocate resources to the FedRAMP program and relevant teams within individual agencies or departments to be able to implement any and all recommendations
B1. Establish means of the FedRAMP PMO for tracking type/details of quality issues of security packages
B5. Create a process to evaluate quality issues and inconsistencies to determine if FedRAMP documentation should be updated to clearly communicate expectations and prevent recurrence of issues.
C1. Increase standardization across reviewers for controls interpretation and review with a consistent and explicit escalation process where interpretations or reviews deviate
E1. Establish a matrix of fully inherited hybrid responsibilities for SaaS and develop a SaaS assessment process that utilizes existing assessment processes to the extent possible

A2. Continue efforts to educate stakeholders in automated standards (e.g., OSCAL)
A4. Incentivize OSCAL adoption and review areas right for automation in the workflow. Setup a work group to incentivize industry to participate in developing, maintaining, and adopting automation technologies
C5. Enable the ingestion of data into the CISA repository and share the information across agency customers with consideration for protecting sensitive information
E1. Fully fund an award ( if necessary, multi-year) for an automation support contract to support the agencies as well as the FedRAMP PMO
E2. Ensure necessary resources are available to be able to provide more attention and focus around OSCAL, expedite OSCAL adoption process

01/11/24 5:35 PM

Marci

Womack

A1. Outsource a standardized the review process by sharing a machine readable the PMO checklist to CSP/Agency who can attest (i.e., limit the PMO review and oversight)
B2. Publish (on a quarterly cadence) the issues that they have identified or been discovered, and where possible, what was or will be done to address the identified or discovered issue, to increase transparency and lead to quality improvements
B4. Ensure security consistency and reuse of acceptance by expanding the CSO security package documentation to include defining baselines secure configurations and deployments guide
B5. Create a process to evaluate quality issues and inconsistencies to determine if FedRAMP documentation should be updated to clearly communicate expectations and prevent recurrence of issues.
C1. Increase standardization across reviewers for controls interpretation and review with a consistent and explicit escalation process where interpretations or reviews deviate
C2. Establish a more agile PMO review process; provide incremental iterative feedback on security packages to CSPs to keep the process moving and eliminate waiting in queue for a full review
E4. Set a cadence for template and documentation updates from FedRAMP that have established public feedback timelines, including updates to control interpretations or expectations

A1. Implement an integrated GRC tool for agency and FR authorizations that can ingest common annual assessment and change request data for integrated risk picture and “single pane of glass” view for all agencies utilizing the CSO
D2. Redefine what qualifies as a Significant Change Request (SCR)
D3. Define a baseline for Significant Change Requests (SCRs) and the minimum acceptable standards

A3. Coordinate with FedRAMP, 3PAO, industry stakeholders to identify lower risk controls that can be automated and once we are able to focus on the higher risk to lower timeline and cost of assessment and authorization
A4. Incentivize OSCAL adoption and review areas right for automation in the workflow. Setup a work group to incentivize industry to participate in developing, maintaining, and adopting automation technologies
B1. Review the current set of requirements, controls and deliverables to determine if they are still necessary. Identify opportunities for descoping things that are less relevant to security of cloud offerings...
C4. Prioritize the adoption of OSCAL as a means to accelerate automation.
E2. Ensure necessary resources are available to be able to provide more attention and focus around OSCAL, expedite OSCAL adoption process

01/11/24 2:41 PM

Branko

Bokan

A1. Implement an integrated GRC tool for agency and FR authorizations that can ingest common annual assessment and change request data for integrated risk picture and “single pane of glass” view for all agencies utilizing the CSO
B1. Prioritize the ingestion of ConMon data into the CDM stack and provide analytics to understand shared risk across the government
D1. Identify and implement interim solutions for improving ConMon until new automation capabilities are available (e.g., redefine requirements for monthly vulnerability scans)

A4. Incentivize OSCAL adoption and review areas right for automation in the workflow. Setup a work group to incentivize industry to participate in developing, maintaining, and adopting automation technologies
C1. Accelerate ingestion of FedRAMP data to existing solutions like CDM and vice versa, like threat intel from FIPs to the GRC
C5. Enable the ingestion of data into the CISA repository and share the information across agency customers with consideration for protecting sensitive information

01/11/24 2:33 PM

Daniel

Pane

B5. Create a process to evaluate quality issues and inconsistencies to determine if FedRAMP documentation should be updated to clearly communicate expectations and prevent recurrence of issues.
C1. Increase standardization across reviewers for controls interpretation and review with a consistent and explicit escalation process where interpretations or reviews deviate
C5. Develop an agency review process whereby compliant agency authorizations move to the marketplace without additional review
E3. Establish a FedRAMP mentorship sherpa program to provide opportunities for experienced agencies to train and support those who have not gone through the process
F2. Address sponsorship challenges; reassess when a sponsor is actually needed before a CSP can move further through the authorization pathway they’re on, who can be a sponsor and create strategies that ensure CSPs are able to get a sponsor
G1. Establish a minimum standard of requirements for CSPs that are non-negotiable for Authorization and cannot be met with alternative implementations.
G2. Establish alternative implementation exceptions whereby controls/guidance are met in a way that is different than common CSP implementations, yet still secure and reviewed by the 3PAO.

A1. Implement an integrated GRC tool for agency and FR authorizations that can ingest common annual assessment and change request data for integrated risk picture and “single pane of glass” view for all agencies utilizing the CSO
D2. Redefine what qualifies as a Significant Change Request (SCR)
D3. Define a baseline for Significant Change Requests (SCRs) and the minimum acceptable standards

A2. Continue efforts to educate stakeholders in automated standards (e.g., OSCAL)
A3. Coordinate with FedRAMP, 3PAO, industry stakeholders to identify lower risk controls that can be automated and once we are able to focus on the higher risk to lower timeline and cost of assessment and authorization
B1. Review the current set of requirements, controls and deliverables to determine if they are still necessary. Identify opportunities for descoping things that are less relevant to security of cloud offerings...
C1. Accelerate ingestion of FedRAMP data to existing solutions like CDM and vice versa, like threat intel from FIPs to the GRC
E1. Fully fund an award ( if necessary, multi-year) for an automation support contract to support the agencies as well as the FedRAMP PMO

01/11/24 10:26 AM

La Monte

Yarborough

A2. Review and establish FedRAMP control inheritance, available for CSP/Agency review via publicly available crossworks from other control reviews within the US government or other authoritative and accepted sources (ISO, PCI, etc.) for reciprocity
B1. Establish means of the FedRAMP PMO for tracking type/details of quality issues of security packages
B4. Ensure security consistency and reuse of acceptance by expanding the CSO security package documentation to include defining baselines secure configurations and deployments guide
C2. Establish a more agile PMO review process; provide incremental iterative feedback on security packages to CSPs to keep the process moving and eliminate waiting in queue for a full review
C5. Develop an agency review process whereby compliant agency authorizations move to the marketplace without additional review
E1. Establish a matrix of fully inherited hybrid responsibilities for SaaS and develop a SaaS assessment process that utilizes existing assessment processes to the extent possible
F1. Increase engagement with CSPs to increase knowledge exchange and improve the overall process

A1. Implement an integrated GRC tool for agency and FR authorizations that can ingest common annual assessment and change request data for integrated risk picture and “single pane of glass” view for all agencies utilizing the CSO
A3. Centralize all of ConMon for agency authorizations for FedRAMP
B2. Integrate ConMon into OSCAL/EGRC work

A3. Coordinate with FedRAMP, 3PAO, industry stakeholders to identify lower risk controls that can be automated and once we are able to focus on the higher risk to lower timeline and cost of assessment and authorization
B1. Review the current set of requirements, controls and deliverables to determine if they are still necessary. Identify opportunities for descoping things that are less relevant to security of cloud offerings...
B3. Assess FedRAMP baseline security controls to determine which can be automated or inherited from other authorization programs
C4. Prioritize the adoption of OSCAL as a means to accelerate automation.
E1. Fully fund an award ( if necessary, multi-year) for an automation support contract to support the agencies as well as the FedRAMP PMO

01/10/24 9:10 PM

Michael

Vacirca

A1. Outsource a standardized the review process by sharing a machine readable the PMO checklist to CSP/Agency who can attest (i.e., limit the PMO review and oversight)
A2. Review and establish FedRAMP control inheritance, available for CSP/Agency review via publicly available crossworks from other control reviews within the US government or other authoritative and accepted sources (ISO, PCI, etc.) for reciprocity
C1. Increase standardization across reviewers for controls interpretation and review with a consistent and explicit escalation process where interpretations or reviews deviate
C2. Establish a more agile PMO review process; provide incremental iterative feedback on security packages to CSPs to keep the process moving and eliminate waiting in queue for a full review
C3. Provide increased transparency into the queue and alignment with SLOs so that CSPs can see exactly where they are in the queue and how long they’ve been or are expected to remain in that position
C4. Generate evidence/artifacts for authorization in an automated fashion, using OSCAL or a similar industry-adopted open standard, to create a clearer understanding of risks for using a cloud service offering
D2. Set and measure service level objectives (SLOs) for each phase of the authorization process, regardless of which pathway is chosen (i.e. those mentioned in and created in compliance with Section IV); establish SLOs for response windows

A1. Implement an integrated GRC tool for agency and FR authorizations that can ingest common annual assessment and change request data for integrated risk picture and “single pane of glass” view for all agencies utilizing the CSO
B2. Integrate ConMon into OSCAL/EGRC work
D4. Provide CSPs with a roadmap for overall prioritization of controls, timelines for when the data can be consumed by the authorizing body, and any intermediate and final deadlines by which the CSPs may have to make conforming changes

A1. Establish an exploratory committee to create an open source community around compliance so we can achieve automation in a reasonable timescale
A3. Coordinate with FedRAMP, 3PAO, industry stakeholders to identify lower risk controls that can be automated and once we are able to focus on the higher risk to lower timeline and cost of assessment and authorization
A4. Incentivize OSCAL adoption and review areas right for automation in the workflow. Setup a work group to incentivize industry to participate in developing, maintaining, and adopting automation technologies
B1. Review the current set of requirements, controls and deliverables to determine if they are still necessary. Identify opportunities for descoping things that are less relevant to security of cloud offerings...
E1. Fully fund an award ( if necessary, multi-year) for an automation support contract to support the agencies as well as the FedRAMP PMO

01/09/24 10:55 AM

Berlas

B4. Ensure security consistency and reuse of acceptance by expanding the CSO security package documentation to include defining baselines secure configurations and deployments guide
B5. Create a process to evaluate quality issues and inconsistencies to determine if FedRAMP documentation should be updated to clearly communicate expectations and prevent recurrence of issues.
C4. Generate evidence/artifacts for authorization in an automated fashion, using OSCAL or a similar industry-adopted open standard, to create a clearer understanding of risks for using a cloud service offering
C5. Develop an agency review process whereby compliant agency authorizations move to the marketplace without additional review
E1. Establish a matrix of fully inherited hybrid responsibilities for SaaS and develop a SaaS assessment process that utilizes existing assessment processes to the extent possible
F2. Address sponsorship challenges; reassess when a sponsor is actually needed before a CSP can move further through the authorization pathway they’re on, who can be a sponsor and create strategies that ensure CSPs are able to get a sponsor
G1. Establish a minimum standard of requirements for CSPs that are non-negotiable for Authorization and cannot be met with alternative implementations.

A1. Implement an integrated GRC tool for agency and FR authorizations that can ingest common annual assessment and change request data for integrated risk picture and “single pane of glass” view for all agencies utilizing the CSO
A2. Develop an agency-agnostic common reference architecture for an integrated EGRC ecosystem with automated update of customer responsibilities and related CSP that provides guidance on which metrics and automation outputs will be used for each control
A3. Centralize all of ConMon for agency authorizations for FedRAMP

A4. Incentivize OSCAL adoption and review areas right for automation in the workflow. Setup a work group to incentivize industry to participate in developing, maintaining, and adopting automation technologies
B1. Review the current set of requirements, controls and deliverables to determine if they are still necessary. Identify opportunities for descoping things that are less relevant to security of cloud offerings...
B2. Partner with NIST to establish standards for sharing of CUI/PII/BII sensitive data through OSCAL (e.g., CRM datasets consumed by eGRC solution)
C3. Establish an open and standards-based framework that would allowed CSO to update CRMs that would be able to automatically subscribe to the GRC
D1. Publish authorization timelines regularly/publicly and timeline goals with a focus on implementing transparency in the process wherever practicable or feasible