The White House, early morning light

MITRE’s Response to the FedRAMP RFI on Metrics

MITRE’s data-driven responses to a FedRAMP request for information (RFI) seeking feedback on their draft metrics.

Download Resources

What’s the issue? The Federal Risk and Authorization Management Program (FedRAMP) program asked for public feedback on a proposed set of metrics that would measure the end-to-end FedRAMP authorization experience and align with our mission of being a security-first program. They will use the feedback to focus and refine this list to a set of measures that will keep FedRAMP focused on security and customer experience.

What did we do? Our Center for Data-Driven Policy led a cross-MITRE analysis of draft metrics and the RFI’s posed questions, seeking to uncover data and evidence (from our work in the public interest) that would help the program understand opportunities and develop plans that are evidence-based, actionable, and effective.

What did we find? MITRE recommends that FedRAMP expand its metrics approach to enhance its effectiveness beyond the traditional scope of the cost and timeliness of the program. This rethink is needed to address rising costs, improve security performance, and foster innovation by reducing redundant assessments and streamlining compliance. By adopting more meaningful and real-time metrics, FedRAMP can better ensure the security of cloud services, enhance national cybersecurity, and facilitate faster deployment of secure cloud solutions. This response provides specific recommendations addressing:

  • Rethinking FedRAMP Processes and Metrics to Drive Reciprocity
  • Measuring Reciprocity as an Indicator of Industry Cost of Authorization
  • Rethinking FedRAMP Measures of Effectiveness to Drive Improvements in Operational Cyber Performance and National Security
  • Rethinking FedRAMP Continuous Monitoring Metrics to Improve National Security
  • Rethinking FedRAMP Continuous Monitoring with Continuous Testing.
  • Rethinking FedRAMP Metrics to Support Adoption of Quantum Resistant Cryptography and Zero Trust Initiatives