The General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) launched a new agile delivery pilot program this week rooted in iterative development and customer engagement.
GSA’s Executive Director for Cloud Security Eric Mill touted the new pilot during the ATO and Cloud Security Summit in Washington, D.C., today, noting that FedRAMP is looking to work with 20 cloud service providers (CSPs) over the next year to alter the program to provide more speed and security.
The goal of the agile delivery pilot, according to FedRAMP, is to replace the current “significant change request” process with an approach that does not require advance approval for each change. “Our long-term goal is to shift the FedRAMP process to one that is based on continuous assessment rather than assessing point-in-time snapshots,” FedRAMP wrote in a July 10 blog post.
Mill said this legacy process has had “long-standing concerns” amongst FedRAMP and its customers.
“For a lot of cloud providers, this [change request process] can go on for a long time and really get in the way of what we know to be secure software deployment and delivery practices, which are agile software delivery practices,” Mill said. “The Federal government absolutely needs to get the benefits of these companies, who we are relying on, for them to be able to share as many security improvements and updates as possible.”
“This is an area where we think we can take a look at the way that FedRAMP has operated to date and refactor the process to be one that is based on continuous assessment,” Mill said. “We think we should be getting both more security and more speed at the same time.”
The new pilot – which was laid out in FedRAMP’s roadmap released earlier this year – is accepting applications from CSPs until July 26. CSPs who have a new feature they plan to release before Dec. 31 are encouraged to apply. CSPs should have mature automated configuration management and change management processes, whose details they are willing to share, FedRAMP said.
FedRAMP said it will work with the CSP and its associated agencies to make selections for the new pilot program by Aug. 16.
FedRAMP Launches Automation Website
Eric Mill also announced that FedRAMP launched automate.fedramp.gov today – a new technical documentation hub designed specifically to support CSPs in the development, validation, and submission of digital authorization packages.
The website is initially focused on documenting FedRAMP’s use of the Open Security Controls Assessment Language (OSCAL) to support digital authorization packages, FedRAMP said, but will expand overtime as new capabilities are brought online.
Automate.fedramp.gov offers detailed technical documentation, best practices, and guidance for creating and managing digital authorization packages with OSCAL. The new website will help make the FedRAMP authorization process more efficient and accessible by providing faster and more frequent documentation updates and improving user experience, among other things.
FedRAMP noted that partners should keep an eye out to participate in an upcoming automation pilot program.
The 12-year-old FedRAMP program is administered by GSA and provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.
GSA has been engaging in FedRAMP’s new roadmap while continuing recruitment efforts for a new FedRAMP director and other roles.
Brian Conrad stepped down from his position as acting director of the FedRAMP program on March 22, after serving in the role since January 2021.
“We’re in the final stages [of hiring a new director], and we’re really excited about finalizing the process so we can have a career civil service FedRAMP director that’s able to move the program forward,” Mill said today.
“We, more broadly, have been doing quite a bit of hiring this year,” Mill said. “We are bringing in multiple folks to the program with strong technology, data science, machine learning, and tech backgrounds to both build our automation infrastructure and help us get better insights from the security data that we collect.”
“We’re going to have more. We’re not far enough along for me to say exactly what positions are opening up, but there will be more this year that are significant for the FedRAMP program,” he added.