The US General Services Administration (GSA) announced plans for an overhaul of the Federal Risk and Authorization Management Program (FedRAMP). The new approach, dubbed FedRAMP 20x, will lean into automation to make “authorization simpler, easier, and cheaper while continuously improving security,” according to the GSA press release.
InformationWeek spoke to four leaders in the private sector about the anticipated changes to FedRAMP, the potential impact, and how CIOs at government contractors can prepare.
The Changes
FedRAMP was first established in 2011, about midway through Jonathan Alboum’s 11-year government career. He held multiple senior IT positions within the government, including CIO of the United States Department of Agriculture (USDA) before making the switch to the private sector in 2018, giving him exposure to FedRAMP as both buyer and service provider.
“Since the inception of the program, GSA has been trying to continue to make it better.
I really see these changes as a continuation of those overarching efforts,” Alboum, currently the Federal CTO at ServiceNow, tells InformationWeek. ServiceNow provides an AI platform, and it has 100 authority to operate (ATO) letters on file with FedRAMP.
FedRAMP 20x has five main goals. The first focuses on automating the validation of FedRAMP security requirements. Under this new framework, more than 80% of requirements could transition to automated validation.
The second goal aims to reduce documentation requirements if companies pursuing FedRAMP authorization can demonstrate their existing best practices and security policies.
Continuous monitoring is also one of the primary objectives of FedRAMP 20x. The updated model is promising a “simple, hands-off approach” that that leverages secure by design principles and automated enforcement.
Through FedRAMP, GSA has played a role between contractors and government agencies. FedRAMP 20x’s fourth goal emphasizes more direct relationships.
“A major objective is to reduce third-party involvement of the FedRAMP team in favor of more direct agency-provider interactions,” Shrav Mehta, CEO of Secureframe, an automated compliance platform, explains in an email interview. Secureframe intends to pursue authorization under the new FedRAMP model.
The final goal centers on innovation. Under FedRAMP 20x, companies will undergo automated checks and be able to make changes without additional oversight, granted they follow an approved process for doing so.
As is often the case, more automation comes with the possibility of fewer staff. Federal News Network reports that FedRAMP’s program management will be staffed by a few federal employees.
The Potential Impact
While the FedRAMP authorization process could look quite different with more automation, the underlying intent remains the same.
“You’re always going to have a set of guardrails, a set of compliance rules that everybody’s going to have to play by,” says Kevin Orr, federal president for RSA, an identity security solutions company.
RSA ID Plus for Government is FedRAMP authorized, and Orr has coached a number of companies through the process. He has seen firsthand how long it can take. “It’s anywhere from 18 to 24 months,” he shares. “I’ve been through this four times.”
Increased automation that cuts down on the amount of paperwork, time, and labor involved in achieving FedRAMP authorization could result in a less expensive endeavor.
Today, there are nearly 400 FedRAMP authorized services, according to the FedRAMP marketplace. If the process becomes more efficient, and less expensive, more companies might be interested in pursuing authorization.
“The byproduct of that could be greater competition. [It] could be greater availability of capabilities that just don’t exist today in the government sphere,” says Alboum.
Continuous monitoring could offer advantages over a manual audit-based approach. “We develop software and capabilities in a continuous manner. We’re constantly improving them. So, a continuous authorization management approach is really much more appropriate,” says Alboum.
The hope is that continuous monitoring will lead to a more robust cybersecurity posture across the cloud-based tools in use within government agencies.
There is optimism among companies that have achieved FedRAMP certification in the past. Sumo Logic, a cloud-native, machine data analytics platform, achieved FedRAMP Ready designation in 2019 and FedRAMP Moderate authorization in 2021.
“We need to maintain rigor in how we’re evaluating technology to ensure that it’s a secure solution for government agencies. But ultimately we’re very welcoming of efficiencies gained throughout the process,” Seth Williams, the company’s field CTO, tells InformationWeek.
What Comes Next?
The promise of a less burdensome FedRAMP authorization process is exciting for government contractors, but there are still unknowns.
“We’re a little bit in the wait and see [mode] because the devil’s in the details … Exactly how are we going to do continuous monitoring?” Orr asks. “I don’t think anybody really wants the government inside your network telling you what you do. But at the same time, we all stand up and sign up for a security pledge to make the nation a [safer] place. So, somewhere in between is probably the truth, and we’ll see what comes out of it.”
It also remains to be seen how automation is applied and how it works in practice. What will the impact of reduced FedRAMP staffing be? What will more direct relationships between government agencies and contractors look like?
The future of FedRAMP is likely going to be shaped with input from industry stakeholders. FedRAMP working groups will “gather input from industry, ensure equal access to information, encourage pilot programs, and provide technical guidance before formal public comment and release,” according to the GSA press release.
GSA notes that “low-impact service offerings” will not require agency sponsorship under FedRAMP 20x, but relationship building will still be important as FedRAMP evolves. Some of that connection will be formed within those working groups. And contractors who want to work with government agencies will need to demonstrate the value of their service offerings.
“It’s one thing to say, ‘I want to work with the government, or I have the capability to work with government.’ Well, how does it provide value to a government agency?” says Alboum. “Relationships are still going to be very important, especially as we go through this period of significant change.”
How can government contractors, and companies eager to secure government customers for the first time, prepare?
“For government contractors, success will depend on their ability to provide immediate, comprehensive security insights and adapt to more dynamic compliance expectations,” says Mehta.