Officials with the Federal Risk and Authorization Management Program (FedRAMP) are urging industry players to move quickly in preparing their submissions for the FedRAMP 20x Phase One pilot that the program detailed in a blog post last week.
The Phase One pilot, FedRAMP said, will test “how cloud service providers can meet FedRAMP Low authorization requirements using a combination of automated technical validation, existing commercial certification, and simple documentation requirements to generate machine-readable packages that can be assessed by trusted third parties.”
The pilot springs from FedRAMP’s 20x revamp effort launched last month which is placing a heavy focus on automation to speed the approval process for secure cloud services authorized by FedRAMP, and to make the process of obtaining program authorizations simpler, easier, and cheaper while continuously improving security.
As part of the 20x effort, FedRAMP created four new working groups to explore program improvements in the areas of continuous monitoring, automating assessments, applying existing frameworks, and continuous reporting.
“We really encourage people to start working on this right now,” a FedRAMP staff member said today during a meeting of the recently created Automating Assessments working group.
“Don’t wait for more clarification or more guidance … we want this to be really open-ended and see what people can come up with, so now is the time to go ahead and get started,” the staff member said.
“When submissions are open in a few weeks, we’re going to be reviewing them in the order that we receive them, so if you want to get your submission reviewed faster, have it ready and be able to submit as soon as we open for that,” the staff member said.
FedRAMP said last week that the 20x Phase One pilot is open to the public and explained that “qualifying cloud service offerings that successfully complete Phase One will receive a 12-month FedRAMP Low authorization and will be prioritized for FedRAMP Moderate authorization in Phase Two.”
On today’s working group call, another FedRAMP staff member recapped that “FedRAMP 20x is based on the concept of key security indicators, which we talk about a lot, and they are specific security capabilities based on the NIST controls that cloud services must demonstrate.”
“Our Phase One pilot is really aligned with the key security indicators (KSIs), and we hope to understand how the key security indicators can be used to determine automated assessment and validation capabilities for cloud-native service providers,” they said.
Additionally, the staff member said FedRAMP hopes to understand how documentation requirements can be reduced and assess how third party assessment organizations can use automated machine-readable packages, among other aims.
“Along the way, we will also explore how platform-as-a-service, infrastructure-as-a-service, and other third party tools can support customer validation in this pilot and beyond,” the staff member said.
“In the beginning stages of this new thing called 20x we want to give you, the cloud service providers, an opportunity to do what you do best – innovate, be scrappy, be ingenious, and show us how you hope to engage with FedRAMP in the new 20x era,” they said.
“As we’ve said before, we want to set the standards and policy so that private innovation can design the solution,” the staff member said. “Private innovation is on the call with us today, and we’ve already set the standards. Now it’s your turn to design the solution.”