The Federal Risk and Authorization Management Program (FedRAMP) is entering its teen years, having been established in 2011. Just as age 13 brings a host of changes for humans, it's also proving to be just as momentous for the program that provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products.
FedRAMP has evolved to meet the growing importance of cloud services to the daily operations of the government. However, the speed at which FedRAMP grants cloud service status has consistently been an issue. In 2022, Congress enacted the FedRAMP Authorization Act, making FedRAMP law. The bill included a laundry list of modernization steps for the program to speed up its work and expand its capacity, including through the use of more automation technologies. There have been a number of modernization efforts this year, implemented to help FedRAMP meet the demands of agencies and live up to its promise as a secure way to deploy cloud in government.
Following the Road Map
In February 2024, the program released an 18-month road map focused on improving customer experience and leadership on cybersecurity. The four strategic goals included orienting FedRAMP to better meet customer (vendors and agencies) expectations, positioning the program as a leader in cybersecurity and risk management, scaling the size and scope of cloud services offered, and increasing program effectiveness through automation and technology-forward operations.
Between April and July, the program has increased the number of products and services available from 300 to nearly 400. Additionally, the Emerging Technology Prioritization Framework was published to define which generative AI capabilities will be the first to be prioritized to meet user demands as well as the AI executive order.
Increasing Agility
May 2024 saw the release of the Agile Delivery pilot, which will allow cloud service providers to roll out new features more easily without advance approval for each change. The current process for approving changes to FedRAMP services is laborious and often delays the most current versions from getting into the hands of government users. This new approach is a shift to continuous assessment rather than the current method of assessing point-in-time snapshots. This new process aligns with the agile delivery practices that are used to develop cloud software.
Introducing Automation
Automate.fedramp.gov is a technical documentation hub designed specifically to support cloud vendors in the development, validation, and submission of their digital authorization packages for FedRAMP review. At launch, the initial focus is on the Open Security Controls Assessment Language and will expand over time. Vendors will find detailed technical documentation, best practices, and guidance for creating and managing digital authorization packages. This guidance will speed the authorization process by providing more accessible and frequent documentation updates.
The Future is AI
Moving forward, the FedRAMP team is looking at how artificial intelligence (AI) can further speed processes and improve customer experience. They are looking at ways to incorporate AI into the process early to provide input to cloud vendors on things that will be flagged in the review process before it gets to the human reviewers. If a vendor needs feedback about a specific control, AI could point them to, say, a white paper that is relevant to the control. An AI solution could also provide feedback based on what reviewers have frequently said about other submissions for that control.
Using AI as an initial reviewer means updates can be made before formal review begins, allowing the FedRAMP team to focus on the most critical controls and package areas rather than reviewing and flagging smaller issues, holding up the approval process.
To stay up to date with FedRAMP's evolution as well as the cloud technologies being submitted to the program, check out these resources from GovEvents and GovWhitePapers.
- The Strategic 8: How to Navigate the Current State of Cloud Security (September 18, 2024; webcast) - This session will explore eight of the best strategic practices to get you thinking about properly securing your cloud environment today.
- CloudSecNext Summit & Training 2024 (September 30- October 1, 2024; Denver, CO) - This summit covers all aspects of the cloud security side of cybersecurity and will bring together a unique combination of real-world user experiences and case studies, as well as practical, technical training focused on specific approaches and skills for building and maintaining a secure cloud infrastructure.
- Federal News Network's Industry Exchange Cloud 2024 (November 18, 2024; webcast) - Learn about the best tools, tactics, and techniques to help achieve effective, efficient, and secure cloud services.
- Managing Multi-Cloud Environments (December 5, 2024; virtual) - This virtual workshop will share a few examples of successful multi-cloud deployments and associated lessons learned.
- Navigating Complexity and Uncertainty in Cloud Computing (white paper) - Uncertainty abounds as agencies adopt and integrate into hybrid work environments, cloud-native applications, and multi-cloud platforms. Procurement practices, hiring skilled talent, continuous training, and the future of artificial intelligence (AI) are other challenges agencies are facing in the evolving cloud computing landscape. Experts from federal agencies shared their experiences navigating the complexities of cloud computing.
- Cloud Security: Federal Authorization Program Usage Increasing, but Challenges Need to Be Fully Addressed (white paper) - The Government Accountability Office analyzed questionnaire responses from federal agencies and selected cloud service providers as well as program data to make recommendations for FedRAMP.
For more information on cloud in government, search for resources on GovEvents and GovWhitePapers.