Eric Mill, executive director for cloud security at the General Services Administration (GSA), offered a preview today of planned staffing additions at the Federal Risk and Authorization Management Program (FedRAMP) program office that GSA runs.
FedRAMP – which provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies – is in the midst of an extensive revamp to comply with mandates approved by Congress in 2022 to codify the program into Federal law, and to undertake numerous efforts to speed FedRAMP evaluation and approval processes.
The Office of Management and Budget (OMB) issued draft guidance in October 2023 to modernize FedRAMP and to replace existing policies created for the program when it began in 2011. OMB has received extensive comment on the draft guidance but has not yet released its final guidance.
Speaking today at an event organized by the Alliance for Digital Innovation (ADI) to discuss ongoing changes to FedRAMP, Mill recalled GSA’s announcement in May of a new Technical Advisory Group (TAG) to help inform decision-making on the technical, strategic, and operational direction of the program.
The TAG, which is made up of senior Federal agency technology and security officials, will complement the work of the existing Federal Secure Cloud Advisory Committee, and according to GSA will provide “advice and guidance as requested by the FedRAMP program and the FedRAMP Board, helping FedRAMP make decisions on processes, policies, and other areas where independent technical expertise can strengthen outcomes.”
“One of the things I’m actually the proudest of is that we are really investing in technical expertise and advice for the program,” Mill said today.
“It’s been great to work with OMB to set up our technical advisory group, which has a stellar array of Federal practitioners with serious technical backgrounds in identity, cybersecurity, artificial intelligence, natural language processing, and real application security concept,” he said.
Mill cautioned that he wanted to be a “little careful here about talking about hiring until everything is done on the dotted line,” but the GSA official then said, “I’m pretty comfortable saying that by the end of this year, we will actually have a real technical team inside FedRAMP in the program office – that’s full-time Feds – with a diverse set of engineering skillsets in natural language processing and artificial intelligence and data science.”
“And it’s going to make us capable of really executing on the automation vision that folks were pushing forward for a number of years now in that relay race that has been ongoing,” Mill said, adding he foresees “us really becoming a delivery organization.”
“It’s also just going to make us smarter and better able to reason about the subtleties and implications that happen in … these compliance processes when you have everything that feels good on paper and everything that is just supposed to make sense,” he said.
“When things come into conflict anyway because the world is more complex than that, we need to be a team and an organization that is able to see that and bring people to the best risk and security outcome of that situation,” Mill said. “So that’s what we’re focused on doing here, and I hope that’s what has come through in our work.”
“We’ve long anticipated the update to the FedRAMP memo, we know that it has needed some updating for several years now as we have had a proliferation of cloud technology into the marketplace,” said Ross Nodurft, who is ADI’s executive director and a senior director of cybersecurity services at Venable LLP, and who moderated today’s event.
“This is frankly going to be a seminal moment, but hopefully it won’t be the end,” he said. He added that ADI hopes to host a follow-up to today’s event “in which we will bring folks back in and talk about now that we see the memo out there, now that we see things continuing to be implemented, what are the reactions were are getting.”
