The General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) is calling on industry to join its new Digital Authorization Package pilot – launched on Wednesday – and to submit public comments on the many changes coming to FedRAMP.
During an event in Washington today hosted by the Information Technology Industry (ITI) Council, Federal tech officials explained that the new pilot is just one way to engage with the FedRAMP team.
“Take advantage of the opportunities that are in front of you right now to provide feedback,” said David Waltermire, the data strategy and standards lead at FedRAMP. “Participate in public comment periods on the policies that we have out there and take advantage of the forums that we have available right now to work together.”
“Yesterday, we launched a new pilot around digital authorization packages,” he continued, adding, “We’re approaching that in an open source way, where you can work with us to explore that topic. So, taking advantage of forums like that, and if you feel that we’re not addressing a critical need that is top of mind for you, reach out to us.”
The pilot launched this week will explore the use of the Open Security Controls Assessment Language (OSCAL) to create machine-readable, digital authorization packages.
The FedRAMP team is looking for collaboration partners, including cloud service providers (CSPs); governance, risk, and compliance (GRC) tool providers; and Federal agencies. These partners would review and use new FedRAMP open source guidance and validation tooling, and then share feedback with FedRAMP during the pilot’s office hours.
Federal Chief Information Officer (CIO) Clare Martorana also issued a call for greater collaboration, encouraging the public to submit comments to help improve FedRAMP.
“We don’t do public comment for sport. We don’t do public comment because we have to. We actually don’t need to public comment,” Martorana said during the event. “We’ve tried to approach technology in this administration differently. We read every single public comment that we get.”
“Public comment is really, really important,” she added. “We take this really seriously. And I can’t tell you how thoughtful these teams are that are adjudicating all of those comments. They take them really seriously. And we also, you know, put stuff on a backlog. We might not be able to incorporate something in an initial policy, but all of these policies are living and breathing and are going to continue to evolve. So, please participate in that.”
Martorana also flagged that FedRAMP has multiple open comment periods happening right now, such as the one on a proposed set of metrics that would measure the end-to-end FedRAMP authorization experience. FedRAMP just extended this comment period for another week – giving stakeholders until Sept. 5 to submit comments.
Additionally, FedRAMP is also looking for feedback on a proposed policy update to how it applies Federal cryptography standards to cloud providers. This comment period is open until Sept. 9.
“One of the big changes in FedRAMP, and I’d love to see this across more of the Federal government, is we’re moving this from a black box … towards transparency,” said Drew Myklegard, the deputy Federal CIO at the White House’s Office of Management and Budget (OMB).
“We at OMB, have put out time and time again, asking for feedback. Our hope is that we have transparency going forward, and you all know as much as you possibly can about the program, because we’re asking you to contribute,” Myklegard added.
Eric Mill, the executive director for cloud security at GSA, concluded the conversation by saying that the application for the FedRAMP’s security director position opened on Wednesday. Those looking to get involved can apply here.
FedRAMP aims to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal agencies.
The program has undergone big changes this year, publishing a new roadmap in March detailing how FedRAMP will evolve in 2024 and 2025.
Last month, the White House’s Office of Management and Budget (OMB) released long-awaited guidance to overhaul FedRAMP, replacing the policy created for the program when it began in 2011.
