Core Concepts
“ ” — M-24-15
FedRAMP 20x is a framework for businesses to set security goals for themselves, continuously validate the effectiveness of the capabilities used to meet those goals, measure their performance against those goals, and ensure security and engineering teams have the resources necessary to meet those goals. It is not a traditional compliance framework.
FedRAMP 20x is based on the following core concepts:
Transparency
Cloud service providers should share honest information about their security decisions without worrying about whether they meet an arbitrary bar or set of requirements that might not apply or make sense for them.
Flexibility
Informed engineering decisions that produce secure outcomes appropriate to a specific provider’s environment and goals are strongly encouraged. The effective security posture of a cloud service should never be reduced to meet a security control.
Accountability
Instead of compliance-focused audits to check a box, assessments provide direct business value by giving the business clarity on the effectiveness of their chosen measures that drive security goals and outcomes. No provider should worry about preparing for a point-in-time audit since the security of the cloud service is continuously and automatically enforced, monitored, and reported.
Accuracy
Assessments based on reviewing the effectiveness of security decisions instead of questioning the validity of each decision are more likely to lead to accurate reporting of a provider’s approach to security.
Automatic Validation
Once a goal is set and a framework for measuring it is defined, the status, progress, and outcomes should be automatically enforced and validated without human input whenever possible to enable continuous review and enforce ground truth. A policy that a thing must happen means nothing compared to a continuous report showing how that thing is happening over time and what will automatically occur if it stops.
Why This Works
“ ” — FedRAMP Authorization Act
FedRAMP 20x acknowledges that security decisions are complex and that expectations for the security of a cloud service will vary depending on the specific use case and mission area where it’s deployed. Instead of seeking a binary outcome where a provider is assessed as either “secure” or “not secure” the process is focused on simply ensuring that the overall security posture of a service has been accurately assessed so that it can be matched to an appropriate use case.
The government has many different needs for many different types of services that all have different requirements for confidentiality, integrity, and availability. The risk posture across these systems varies considerably, with some having little risk regardless of the security of the system while the security of others could risk the operational effectiveness of an entire agency. It is not fair to agencies or the cloud services they wish to use to require all services to meet requirements designed to secure the highest risk services.
For example, a cloud service used to host an agency’s primary public web site might be expected to have high availability, moderate integrity, and low confidentiality. Another cloud service used to host a web application for medical records might be expected to have moderate availability, high integrity, and high confidentiality.
In the traditional approach, both services would be required to meet all FedRAMP High security requirements before an agency could use them for either use case. The 20x approach allows the first agency to choose the cheaper cloud service that focuses on high availability while adding risk in other areas that can be easily offset (the web page is intended to be public after all), while the second agency can quickly see they would need to use the more expensive cloud service with stricter security goals in place.
“ ” — M-24-15
Instead of deciding if a cloud service is “good enough” for all government-wide use cases, the FedRAMP assessment process simply ensures that agencies have sufficient information to make the right security-based decisions when adopting cloud services.
