The Federal Risk and Authorization Management Program (FedRAMP) has made it mandatory for every FedRAMP-authorized cloud service provider (CSP) to maintain a working “FedRAMP Security Inbox” – a dedicated email address designed to ensure CSPs receive and quickly respond to urgent governmentwide cybersecurity communications.
The new requirement took effect this week as part of FedRAMP’s Rev5 “Balance Improvement Releases.” During a FedRAMP Rev5 Community Working Group meeting on Jan. 7, FedRAMP officials said they hope to eliminate a growing communications gap by making the inbox mandatory.
“The basic requirement … is that you have an email that we, FedRAMP, can communicate with you on behalf of the government, and that you will receive and respond to. If that doesn’t exist, then ultimately you will lose your FedRAMP authorization,” FedRAMP Director Pete Waterman said during the meeting.
“There’s no excuse,” he added. “If you do not have a way that we can communicate with you, you cannot have a FedRAMP authorization.”
FedRAMP officials said the mandate comes in response to communication issues observed last fall. When the Cybersecurity and Infrastructure Security Agency (CISA) issued emergency directives, FedRAMP had follow-on requirements to communicate quickly to CSPs and their government customers, but officials said not every CSP could be reliably reached.
Under the new mandate, every CSP must ensure that the security email listed in its FedRAMP Marketplace listing is current and actively monitored.
FedRAMP officials said they plan to begin quarterly testing of inbox responsiveness in February, when the program will send an emergency test to every CSP and require them to complete a simple task through an embedded form.
Officials said the initial test will not have a punishment. However, FedRAMP plans to publish the results of that test for every provider, showing response times by impact level and identifying CSPs that respond slowly.
“In the future, once it becomes a formal thing, and there is no more grace period, as we do these quarterly tests, we will publish this as a security metric within your FedRAMP authorization,” Waterman said. “So, it is very important that people be responsive to these emergencies.”
“Aside from the quarterly tests, you are unlikely to receive an emergency request from FedRAMP unless there is an emergency directive, some intelligence, or other related stuff. We don’t plan on abusing this,” he stressed.
Coming RFCs
Aside from the FedRAMP Security Inbox, FedRAMP officials also highlighted three coming requests for comment (RFCs) during the community working group meeting.
The first one seeks input on requiring CSPs to report their assessment costs, and it proposes reporting methods that Waterman said “are designed to be simple, low burden, etc.”
The second RFC will focus on requiring CSPs that are maintaining the Rev5 process to switch to machine-readable packages. It establishes initial requirements and timelines for all CSPs to make the switch.
Finally, the third RFC is related to updating the FedRAMP Marketplace, and it creates formal labels for authorized services.
Waterman was unable to provide an exact timeline for the RFCs, but he said some could publish “as soon as next week.”