Federal CIO Clare Martorana emphasized today that recent and ongoing changes to the General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) are central to making progress on some of the Biden administration’s top government technology goals.
Speaking today at an event organized by the Alliance for Digital Innovation (ADI), Martorana pointed to recent policy efforts by the Office of Management and Budget (OMB) to modernize FedRAMP and its processes including extensive modernization efforts mandated by the FedRAMP Authorization Act approved by Congress late in 2022.
FedRAMP was created in 2011 to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal agencies.
Over the past 13 years, Martorana said, “cloud has evolved pretty dramatically and is a cornerstone for the way that we are currently operating our modern systems.” As such, “FedRAMP is a very high priority for us,” she said.
Martorana said that when she began her tenure as Federal CIO in 2021, the first three pieces of advice she got were about FedRAMP – “Please fix it, please modernize it, please accelerate it, please do everything that you can because it’s really hindering our ability to modernize across government.”
“We’ve really tried to meet that moment over the Biden-Harris administration and really continue to focus on this,” she said.
In particular, she spoke about the need to speed up the pace of authority to operate (ATO) processes necessary for Federal agencies to use cloud services.
“We spend too much time on the ATO process in general,” she said. “Within agencies, it’s burdensome, and every time that we focus on trying to accelerate delivery in an agency, we oftentimes stumble upon much of our bureaucratic internal challenges, and that is where FedRAMP’s do-once use-many approach really promotes the reuse of standardized security assessments to save agencies time and resources.”
Looking ahead, Martorana said “our future vision for FedRAMP reflects on our commitment to three key priorities – strengthening security and risk management, improving customer experience, and reducing time and cost through automation.”
On the first point, she emphasized that “we FedRAMP needs to be a security program, not a compliance program. It is mission critical that we focus on security.”
The second priority is “making sure that we focus on the customer experience,” the Federal CIO said, adding, “so working with GSA, they’ve implemented a new program governance model, established formal feedback loops with industry and agency practitioners and experts through the Federal Secure Cloud Advisory Committee and the Technical Advisory Group to ensure that we’re collecting the voice of the customer in everything that we do.”
“FedRAMP is also proactively seeking inputs from these groups and the public through public comment,” Martorana said.
“We have been focused, again through the Biden Harris administration, on making sure that we are doing human-centered policy design, that we are talking to the customers of all of our services to make sure that we are incorporating their feedback directly into the policies that we are writing,” she said.
“The public comment process will inform further guidance from the program related to the important security areas and program governance such as cryptography and program metrics,” she said.
And to improve efficiency, “we’re really leveraging up on automation to accelerate the authorization process to make sure that we can move quickly,” Martorana said.
“An example is we had a significant change request process that has been really cumbersome in the past, and the FedRAMP team is conducting agile delivery pilots, which empowers cloud providers to continuously deliver assets and improvements using secure and agile delivery and deployment practices,” she said. “This will allow agencies to leverage the latest security features and services while removing roadblocks for [cloud service providers] to bring these features to market.”
The Federal CIO added, “we are also trying to shift from manual to digital authorization packages. Once we have security packages and continuous monitoring on data in machine-readable formats with the FedRAMP automation platform in place, we can analyze the data, and this should help us more rapidly detect and respond to real-world threats.”
“These changes are just part of the journey that we’ve been going on,” Martorana said, while pointing to the larger improvements that she expects the FedRAMP overhaul to produce.
“We are really focused on making sure that cloud technology is agile, secure, and responsive to public needs, and that we at Federal agencies are capable of utilizing these incredible products across our ecosystem so that the innovative solutions, combined with our commitment to security and compliance, can usher in a new era of digital government,” she said.
“We’re not just updating process, we’re laying the groundwork for a technological revolution in service delivery to the public,” Martorana said.