The General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) is looking for public feedback on a proposed set of metrics that would measure the end-to-end FedRAMP authorization experience.
FedRAMP aims to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal agencies.
The feedback will help the FedRAMP team to finalize a set of measures that will allow the program to focus on customer experience and security.
“We encourage all stakeholders, including CSPs, Federal agencies, 3PAOs, and the general public to provide feedback on these proposed metrics. As you review these metrics, please help us make our metrics comprehensive, accurate, and something that speaks to your needs,” FedRAMP said in a July 30 blog post.
“These metrics are not exhaustive and FedRAMP plans to revisit metrics each year to ensure we are updating our metrics with the changing landscape of the program. Future metrics will also be further informed by the FedRAMP Government Risk and Compliance (GRC) platform buildout,” it added.
The metrics are broken out across two areas: an end-to-end customer experience and a security-first program.
Some of the metrics are focused on cost or time – such as the overall time an initial authorization package is in the active review phase. Other metrics are focused on security, such as the number of incidents that impacted FedRAMP Authorized Cloud Service Offerings (CSOs) within the year.
As stakeholders review the proposed metrics, FedRAMP advised them to keep in mind some of the following questions:
- In your opinion, what are the most important metrics for assessing the efficiency and effectiveness of the FedRAMP process and how can FedRAMP ensure we are getting an accurate representation of this data when collected?
- What role could FedRAMP play in helping define success regarding timeliness and cost-effectiveness of the authorization process where FedRAMP is not involved in every phase of the authorization process?
- What types of information would help to manage your expectations and improve your experience during the FedRAMP authorization process?
- Do you use specific performance metrics within your organization to monitor progress that you feel would be a good standard to share with other FedRAMP stakeholders?
- How confident are you in the quality and completeness of the data you will provide for these metrics? What measures do you think could improve the accuracy and reliability of the data?
Those interested in submitting comments on the proposed metrics must do so by Aug. 29.
