Background
On July 25, 2024, the Office of Management and Budget (OMB) released memorandum M-24-15 with a significant directive to modernize the Federal Risk and Authorization Management Program (FedRAMP) and accelerate the adoption of new commercial cloud service offerings (CSOs) for the Government.
Within 18 months of the release of M-24-15, the memo directs FedRAMP to begin receiving digital authorization packages from cloud service providers (CSPs) in Open Security Controls Assessment Language (OSCAL) to enable automation of the FedRAMP review process. Adopting OSCAL will reduce the time and resources spent on security assessments and authorization. Furthermore, OMB’s presumption of adequacy means agencies can reuse FedRAMP authorization without repeating an assessment. Together, these two requirements will increase the number of FedRAMP Authorizations and lower costs to attain those authorizations.
As part of its modernization efforts and product roadmap strategy, FedRAMP is launching a new platform which will enable them to receive digital authorization packages in OSCAL. This will lead to an eventual requirement that all CSPs and third-party assessment organizations (3PAOs) submit their relevant authorization artifacts following FedRAMP’s digital authorization package requirements in OSCAL.
Agility via Automation – A Powerful Combination
stackArmor’s ThreatAlert® Security Platform, engineered as a General Support System (GSS), provides CSPs with an extensive suite of security, networking, and management services meticulously mapped to NIST SP 800-53 security controls. This foundational layer enables CSPs to implement robust, government-ready security baselines. DRTConfidence automates this solution by taking the mapped security controls from the ThreatAlert® Security Platform, converting them into OSCAL, and creating a FedRAMP-compliant digital authorization package. Here’s how DRTConfidence and stackArmor are providing significant value in the cybersecurity space:
1. Automated SSP Population
The ThreatAlert® Security Platform provides the first-ever comprehensive implementation of component definitions (CDEFs) in OSCAL format that represents the General Support Services offered to CSPs. These CDEFs represent a majority of controls that must be implemented for a FedRAMP authorization. DRTConfidence leverages these component definitions to auto populate the System Security Plan (SSP) in OSCAL and run automated validation to ensure alignment with FedRAMP OSCAL guidelines.
2. Real-Time Scanning and Updating
ThreatAlert® Security Platform’s scanning tools continuously monitor the technical configurations of the CSP’s environment. Changes detected by these tools are communicated to DRTConfidence via application programming interfaces (APIs), and automatically update the SSP. This eliminates the need to manually update the SSP when configuration changes occur.
3. POA&M Management
The ThreatAlert Security Platform utilizes “playbooks” to identify and manage Plans of Action and Milestones (POA&Ms). These playbooks outline a process to manage POA&M items in an efficient and FedRAMP-compliant manner. Updates to POA&M items are automatically transmitted to DRTConfidence via APIs to generate a fully validated FedRAMP OSCAL POA&M.
4. Authorization Package Preparation
DRTConfidence automatically consolidates all authorization artifacts, translates them into OSCAL and validates the package against all FedRAMP requirements prior to submission. This eliminates the excessive resources required to manage an authorization package using Excel spreadsheets and Word-based documents.
In Summary
The ThreatAlert® Security Platform and DRTConfidence automate large parts of the FedRAMP digital authorization package.
Â
About DRTConfidence
DRTConfidence, hosted in a FedRAMP JAB High Government Cloud, provides Governance, Risk, and Compliance (GRC) management capabilities in a standardized OSCAL machine-readable format. The platform can generate compliance artifacts (SSP, SAR, SAP, POA&M), import leveraged packages, build component repositories, create system workflows, and integrate with DevSecOps pipelines. DRTConfidence is the first and only platform, that has submitted a complete digital authorization package in OSCAL to FedRAMP and passed all FedRAMP validations.
About stackArmor
stackArmor brings together decades of experience and mission-critical expertise in managed services, workload management, cloud migration, cybersecurity, and compliance solutions for customers in highly regulated industries such as government, defense, aerospace, and the global public sector. Their industry-vetted solution and ATO Accelerator offering, ThreatAlert®, reduces the time and cost of FedRAMP, FISMA, and NIST compliance by 40%. stackArmor’s platform, ThreatAlert®, runs on major hyperscale cloud providers and provides end-to-end secure and compliance solutions, including in boundary systems, landing zones, 24*7 continuous monitoring, encryption, and incident response services. As an integrated advisory and engineering solution, the ThreatAlert® ATO Accelerator includes compliance documentation to reduce overall ATO project costs.
Join Us on This Journey
Contact us today to learn more about how the DRTConfidence and stackArmor partnership can enhance your FedRAMP authorization efforts.
