CRE recommended to the Information Security and Privacy Advisory Board (ISPAB) that metrics are needed to assess whether FedRAMP is living up to its promise. Specifically, metrics need to be developed which would accurately, objectively and transparently measure the security effectiveness and the cost effectiveness of Cloud Service Providers under the FedRAMP program.
Moreover, since the federal government will eventually regulate the IT security of critical infrastructure, the metrics developed for FedRAMP will also be needed for whatever new regulatory program(s) come out of the various cybersecurity legislative proposals being deliberated by Congress. CRE expects that federal regulation of critical infrastructure cyberdefenses will be based on FedRAMP’s conformity assessment approach to regulatory compliance.
Since continuous monitoring is at the heart of FedRAMP security compliance, the metrics should focus making use of advanced continuous monitoring capabilities.
ISBAP is a federal advisory committee charted under FISMA which provides NIST and OMB with criticial advice on protecting security and privacy.
Attached below is CRE’s statement.