The General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) released a new roadmap today outlining how the program will evolve in the next 18 months, focusing on key goals such as customer experience (CX) and cybersecurity leadership.
The 12-year-old FedRAMP program is administered by GSA and provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.
“This is yet another important milestone in the evolution of the FedRAMP Program,” Clare Martorana, Federal CIO from the Office of Management and Budget (OMB), said in a statement. “The roadmap will further enable the secure and efficient adoption of cloud technology, safeguarding critical information and infrastructure while accelerating innovation for agencies and the public they serve.”
The roadmap outlines four strategic goals for 2024 to 2025, which include: orienting FedRAMP around CX, positioning the program as a leader in cybersecurity and risk management, significantly scaling the size and scope of a trusted FedRAMP marketplace, and increasing program effectiveness through automation and technology-forward operations.
The roadmap also contains specific initiatives the FedRAMP team is taking on to make progress towards these goals. For example, the program plans to survey customers about their experience and publish formal customer-oriented metrics – including their time and cost outcomes.
On the cybersecurity front, GSA said it will define FedRAMP’s core security expectations for all types of authorizations. The agency said it will also work with the Cybersecurity and Infrastructure Security Agency (CISA) “to develop and deploy the best protections for and minimize the risk to the Federal enterprise.”
The FedRAMP program also plans to centralize and automate continuous monitoring, as well as support machine-readable “digital authorization packages” to support automation efforts.
Another roadmap initiative looks to move FedRAMP away from relying on lengthy documents and towards a data-first, API-first foundation. GSA will establish a new FedRAMP technology platform that will facilitate this and make it easier for agencies and cloud providers to send and receive security information from FedRAMP.
Other notable roadmap initiatives include forming initial joint authorization groups to reduce extra reviews, replacing the “significant change request” process with an approach that doesn’t require advance approval for each change, and supporting secure software development by incentivizing more rapid development and deployment of security features.
“This roadmap is the new vision that we need – and that both buyers and sellers expect – from the clearinghouse and driver for secure, cloud-based services for government,” GSA Administrator Robin Carnahan said. “We’re going to build technical capacity and expertise, more clearly define security expectations, establish reciprocity where it makes sense, and focus on automation and continuous monitoring while helping agencies get the secure cloud innovations they need to deliver.”
“The FedRAMP Authorization Act was designed to streamline the approval of cloud-based technologies so the Federal government can meet its mission. The private sector has invested time and money in trying to be a partner with the Federal government and is oftentimes met with an opaque and inefficient process,” Rep. Gerry Connolly, D-Va., said in a statement to MeriTalk. “This roadmap is a welcome complement to our legislative efforts, with an appropriate focus on customer experience and expanding the FedRAMP marketplace.”
In a March 28 blog post, GSA noted that it will be engaging on this roadmap while kicking off recruitment efforts for a new FedRAMP director and other roles.
Brian Conrad stepped down from his position as acting director of the FedRAMP program on March 22, after serving in the role since January 2021.
GSA said it will hold information sessions on April 1 and April 3 about the upcoming FedRAMP director role, which will open for applications on USAJobs later in April.
