FedRAMP Seeks Comments on Threat-Based Scoring Approach to Authorizations

1 min read

The Federal Risk and Authorization Management Program is soliciting comments on an updated white paper that reflects changes to threat-based scoring methodology and informs stakeholders of its potential applications.

FedRAMP said Tuesday it expects the threat-based model to allow federal agencies and cloud service providers to prioritize security controls that are effective against the current threat environment and result in quantitative-based risk management decisions when it comes to authorizing cloud platforms for government use.

The Threat-Based Methodology White Paper reflects update to the scoring approach and alignment with the Mitre ATT&CK threat framework version 8.2. 

FedRAMP previously used the NSA/CSS Technical Cyber Threat Framework or NTCTF in its threat-based scoring methodology. 

The program aligned the threat-based model with the Mitre ATT&CK threat framework by analyzing each security control in the NIST SP 800-53, rev. 5 within the FedRAMP High baseline.

The threat-based risk profiling methodology has three phases: threat-based analysis; security controls assessment; and risk profiling.

ExecutiveGov Logo

Sign Up Now! Executive Gov provides you with Free Daily Updates and News Briefings about Government Technology

The Ultimate Guide to Winning Government Contracts Let us show you how top executives are winning so you can replicate it