FedRAMP Director Pete Waterman recently unveiled the “FedRAMP 20x” plan – a proposal designed to reimagine and reformulate the FedRAMP authorization process for federal government use of cloud-based products and services. Engagement with stakeholders is a key part of the initiative, as is reducing bureaucratic reviews of formulaic spreadsheets in favor of a more streamlined and dynamic authorization process.
The Federal Risk and Authorization Management Program, or FedRAMP, is a process used by the federal government to ensure that cloud service offerings meet certain cybersecurity requirements before agencies can use them. FedRAMP modernization has been in process for a while, as discussed in our article from late last year.
The current re-envisioning appears to have coincided with the start of the Trump administration, and come into more concrete focus in the past few weeks.
Key features of the plan include the following:
Status quo for the immediate term. The current FedRAMP “Rev 5” agency authorization process (described in detail on this webpage) will remain in effect. As stated on the newly updated FedRAMP.gov website: “The traditional FedRAMP Agency Authorization process is the only path to FedRAMP authorization today and it’s not going away any time soon!” Waterman estimates that the current agency authorization backlog of products in the queue awaiting authorization can cleared by the end of April. The authorization process will remain the only active path to FedRAMP authorization until a new process is officially developed and launched. Agencies and the FedRAMP program management office (PMO) will continue processing new authorization requests going forward until further notice.
Stakeholder engagement as a driver of change. The FedRAMP PMO is coordinating internally with its agency partners and plans to engage with industry stakeholders through what it has called “FedRAMP 20X Community Working Groups.” The schedule for these public working group sessions, as well as additional details about how to participate and how the process will work, are available online. The goal of these working groups is for industry to help develop a modernized authorization process that is less complicated and bureaucratic and that incorporates continuous developments and commercial improvements. As envisioned, government and industry will collaborate to transform the process together. FedRAMP then will set standards that enable private industry to create solutions.
Movement toward automated processes. One goal of the FedRAMP revisions is to use automation to expedite the authorization process. Manual compliance checklists against standard security baselines will be replaced with automated security validation of key security indicators. Examples of key indicators to be validated include:
- Federal information is encrypted when stored and transmitted.
- Phishing-resistant multi-factor authentication is required.
- Zero trust architecture is in place.
- High-risk events are logged and audited.
Expedited review for low impact offerings. Companies seeking FedRAMP Low authorization might expect to speed through that process in a matter of weeks. In Waterman’s presentation he contrasted the prior “Two years and $500k to get FedRAMP Low” with the anticipated “Two weeks and $5k to get FedRAMP Low.”
Opportunities for Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings to host other companies’ cloud services. IaaS and PaaS platforms with current FedRAMP authorizations can leverage their services to allow other companies to deploy their offerings on these trusted platforms, and provide ways to validate the security of the new offerings, so they can be authorized quickly. This structure would be most useful for simple offerings with minimal third-party integrations and services provided online only.
Conclusion
The FedRAMP PMO’s efforts to move to a common sense authorization process could have huge benefits for industry and federal agencies alike. A novel approach to FedRAMP could result in hundreds of new approvals a year, providing agencies with expedited access to the latest and greatest technology. Reduction of authorization-associated costs and elimination of barriers, such as the requirement for an agency sponsor, would also be expected to dramatically increase cloud service providers’ interest in the pursuit of FedRAMP authorization. Although the devil will be in the details, and maintaining the security of federal government data and information should remain a paramount concern, FedRAMP 20x has the makings of a rare win-win for government and the tech community.
[View source.]
