David McKeown, who last month took on the title of special assistant for cybersecurity innovation at the Defense’s Department’s Office of the CIO, said this week he’s trying to expedite the timeline for vendor applications through the Federal Risk and Authorization Management Program (FedRAMP), and is eyeing a three-month window for that process.
Speaking during Digital Government Institute’s “FedRAMP—Modernizing Secure Cloud Service Adoption” webinar on Jan. 30, McKeown said he wants new FedRAMP applications completed in a period of three months from “start to finish.”
McKeown, who previously served as Deputy DoD CIO for Cybersecurity and DoD Chief Information Security Officer (CISO), is a member of the FedRAMP board created in May 2024 by the General Services Administration (GSA), which operates FedRAMP.
Speaking on Jan. 30, he said DoD’s new goal is a result of internal efficiency improvements and more reliance on automation within FedRAMP.
FedRAMP acts as the official authorization body for cloud services projects across the Federal government. With this responsibility, the program has seen a large increase in its use to connect private vendors to public agencies through cloud service offerings.
McKeown said the backlog of applications at FedRAMP currently stands at 65, down from a previous backlog of 85 vendor applications.
“The metric that I would give you isn’t a flattering one, and it’s not the goal,” McKeown said of the program’s current authorization rate. “It starts with getting through that backlog queue,” he added.
McKeown referenced a recent authorization FedRAMP did for an unnamed artificial intelligence (AI) company that took three months but highlighted that not all projects are on that same timeline.
McKeown also recommended vendors invest in market research before applying for FedRAMP authorizations and warned that cost is a significant factor to consider.
“It’s a big upfront cost,” McKeown said about FedRAMP applications. “If you have just one customer that wants to leverage you then I would recommend just working with that customer and not doing FedRAMP.”
McKeown said the three-month new authorization goal reflects how FedRAMP has been restructuring its processes over the past year.
“We’re looking at agile ways to iterate on major changes inside a cloud services offering,” McKeown said. “It’s already certified, it’s already on the marketplace, but they’re making significant changes to some capability,” he added referring to FedRAMP’s current application process.
