The General Services Administration (GSA) is set on Monday to unveil its plan to revamp how the Federal Risk and Authorization Management Program (FedRAMP) operates with a goal of increasing the pace of authorizations, leaving sources familiar with the program wondering how that end will be achieved with recent cuts to the FedRAMP workforce.
Among other scenarios for the program, several knowledgeable sources told MeriTalk they are looking for GSA to consider shifts in responsibilities and workloads for third party assessment organizations (3PAOs) and Federal agencies that act as sponsors for cloud service providers seeking FedRAMP authorizations, and for the program to perhaps focus more on some of the larger security issues while deemphasizing lengthy checklists of details.
According to sources, GSA will unveil its program revamp plans on March 24, and FedRAMP Director Pete Waterman is scheduled to discuss those developments during a 3 p.m. event on Monday organized by the Alliance for Digital Innovation (ADI).
The FedRAMP program is administered by GSA and provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.
FedRAMP Workforce Cuts
Sources told MeriTalk earlier this month that the FedRAMP workforce has been sharply reduced through the elimination of about 80 contractor positions, leaving the contractor workforce near zero. GSA has retained 18 full-time Federal employees in the FedRAMP program office – up from the single-digit figures last year.
The current roster, sources pointed out, notably includes several employees who are still in their probationary employment periods due to recent promotions or starting in their current positions less than two years ago. Probationary employees at many agencies have been among the first to go in recent layoffs at agencies, and their retention by GSA up to now appears to bode well for the future of the FedRAMP program office.
Also boding well is GSA’s insistence in a statement to MeriTalk earlier this month that FedRAMP has a vital future within GSA’s Technology Transformation Services (TTS) unit, which is in the midst of executing an overall 50 percent staff cut.
“FedRAMP is a priority for TTS and GSA,” an agency spokesperson said on March 7.
“FedRAMP is steadfast, operational, and continues to deliver value to the American taxpayer,” the spokesperson said. “GSA is currently working on a proposal to revamp FedRAMP to unlock more throughput. Increasing government adoption of modern technology in the form of cloud services is critical, and FedRAMP is essential to ensuring that happens.”
But with the FedRAMP workforce plunging from near 100 people down to the current total of about 18, it remains an open question – until the agency explains more on March 24 – how GSA will go about boosting program throughput with a radically reduced team to draw upon.
3PAOs and Agencies
One way to grapple with that problem, sources said, is to push more responsibility to the industry 3PAOs, which are third parties that perform initial and periodic assessments of cloud systems based on Federal security requirements. They are accredited to perform those tasks by the American Association for Laboratory Accreditation, and they advise cloud providers in the process of obtaining FedRAMP authorizations for their services.
That scenario would highlight the value of the FedRAMP program office as a centralized organization to oversee the larger effort, sources said, but could also result in 3PAOs – who all follow the same standards playbook but nonetheless have their own wrinkles in how they do their jobs – arriving at their conclusions via slightly different paths.
Sources also said that the program’s reduced government and contractor workforce could also end up pushing more work to Federal agencies that sponsor cloud service providers to pursue their FedRAMP authorizations – often with the intention of using that particular service themselves.
The extent to which that could be done to increase program throughput might also be blunted by a lack of resources at budget-constrained agencies, and those agencies that are now under pressure to cut costs and staff quickly, sources noted.
Nevertheless, sources said, the work of increasing authorizations – even with the help of increased automation – will need to be absorbed somewhere in the chain if the rate of authorizations is expected to climb significantly.
They also raised the idea that with a reduced staff, the FedRAMP office could change to something more like a standards-keeping body that oversees processes being followed by 3PAOs and agencies, and then delivers less-complicated final evaluations of their work – at least on lower-impact applications.
Sources also pointed to the possibility of a larger reordering of FedRAMP’s thinking, where it focused more heavily on the most glaring security problems and making sure they were dealt with properly, and in turn deemphasized to some extent the less compelling items on the security standards checklist.
Finally, some expressed curiosity with the idea that the program could depart from its FISMA-based approach and start looking at – and perhaps accepting – other security and compliance regimes.
Who’s Top Dog?
Another question that sources are looking to learn more about next week involves the roles of FedRAMP leadership elements, which currently feature the FedRAMP program office, which is expected by sources to remain the center of authority going forward.
But they also pointed to the roles of other entities like the FedRAMP Board created last year to replace the program’s old Joint Authorization Board that served as the primary governance and decision-making body for the program since it was created in 2011.
The new board was mandated by legislation approved by Congress in 2022 to codify the program into Federal law and to undertake other efforts to speed FedRAMP evaluation and approval processes.
Also relatively new to the FedRAMP lineup is a Technical Advisory Group that GSA unveiled last year to “help inform decision-making on the technical, strategic, and operational direction” of the program.
Those two are in addition to the Federal Secure Cloud Advisory Committee (FSCAC) launched in early 2023 to follow through on the 2022 legislation that codified FedRAMP into law. The 15-member FSCAC has been a key element in advising the FedRAMP program and guiding it through a list of program-related mandates in the 2022 legislation.
