The Federal Risk and Authorization Management Program (FedRAMP) recently teamed up with the Cybersecurity and Infrastructure Security Agency (CISA) to apply CISA’s .govCAR methodology to score security controls of cloud service providers based on their capability to detect and respond to threats and now intends to use the framework to eight other aspects of the FedRAMP authorization process, FedScoop reported Thursday.
CISA uses the .govCAR method to perform threat-based assessments of cyber capabilities.
FedRAMP now plans to integrate the methodology into annual reviews to focus on threat-based controls and use it in the agile authorization process. The program is also eyeing to use framework to help prioritize remediation initiatives, improve continuous monitoring of systems and facilitate the decision-making process with threat-based data.
“FedRAMP is exploring how this data can be used to create a risk profile of each security capability in support of authorization decisions,” said Zach Baldwin, program manager for strategy, innovation and technology within FedRAMP’s program management office at the General Services Administration.
Baldwin noted that FedRAMP is performing control assessments and intends to issue updated risk scoring in an upcoming blog post.