Matthew Goodrich, director of the Federal Risk and Authorization Management Program, has said he wants to transform FedRAMP’s approach toward continuous monitoring of computer systems to a more “more risk-based” approach in an interview with FCW published Thursday.
Goodrich told FCW that the continuous monitoring functions within are FedRAMP is “solid” but remain based on compliance, Sean Lyngaas reports.
The Office of Management and Budget recommends that agencies move away from compliance-driven monitoring to a risk-based approach the Department of Homeland Security seeks to have with its Continuous Diagnstics and Mitigation initiative, according to FCW.
Lyngaas cited General Services Administration officials that said the two programs seem aligned, but noted CDM’s complex structure with its scheduled rollouts and monitoring styles as a possible challenge to a union with FedRAMP.
The report said Goodrich also cautioned against others concerns that could arise.
“When you’re looking at rolling up reporting into a dashboard with government data, there are a lot of legal and policy and privacy implications for that for private-sector companies versus government assets,” Goodrich told FCW.