Officials with the Federal Risk and Authorization Management Program (FedRAMP) are asking industry to submit draft versions of their planned submissions for the FedRAMP 20x Phase One pilot between May 19 and May 26.
The Phase One pilot, as detailed by FedRAMP in a late-April blog post, will test “how cloud service providers can meet FedRAMP Low authorization requirements using a combination of automated technical validation, existing commercial certification, and simple documentation requirements to generate machine-readable packages that can be assessed by trusted third parties.”
The pilot springs from FedRAMP’s 20x revamp effort launched in March, which is placing a heavy focus on automation to speed the approval process for secure cloud services authorized by FedRAMP. It also aims to make the process of obtaining program authorizations simpler, easier, and cheaper while continuously improving security.
FedRAMP said it will review the Phase One pilot draft submissions before sharing public, generalized feedback in advance of the final submission window.
In a Phase One timeline posted to its 20X website, FedRAMP said it will begin to accept formal Phase One pilot submissions on May 30. On June 2, the program expects to begin authorizing qualifying 20X Low submissions.
Around the same time, the program’s earlier call for comment issued last month to create Key Security Indicators – that will summarize the security capabilities expected of a cloud-native service offering to meet FedRAMP Low authorization requirements – is due to close on May 25. The program expects that KSIs will finalize on May 29.
“FedRAMP will continue to accept Phase One submissions while preparing for Phase Two,” the program said, adding, “Phase One submissions will remain open based on demand.”
FedRAMP staff emphasized the May 19-26 submission window for draft versions of Phase One pilot submissions during an online meeting of the FedRAMP Automating Assessment working group on May 14.
“The draft submissions are submissions of your machine-readable file that you’re putting out prior to your final submission,” a FedRAMP staffer explained during the May 14 meeting.
“The pilot draft submissions are not going to impact your final approval or not,” the staffer emphasized.
“They don’t have to be finalized or even completed, and they can contain placeholder or anonymized data, so if there’s information that you’re not quite sure you’re ready to release publicly, you can put in … some text, it doesn’t matter, we don’t care,” the staffer said. “We’re really mostly interested in the format and the process as to how it’s being delivered.”