The General Services Administration’s (GSA) Federal Secure Cloud Advisory Committee (FSCAC) voted today to focus on two main priorities over the next year to make the Federal Risk and Authorization Management Program (FedRAMP) easier to use and able to provide more rapid certifications of cloud products and services.
The FSCAC was launched in early 2023 to follow through on legislation approved by Congress in 2022 to codify the FedRAMP program into law and to help the program achieve a related list of service improvements mandated in the legislation.
“This committee helps ensure effective and ongoing coordination of agencies’ adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services to help them meet their mission and administrative priorities,” GSA said earlier this year when it announced new appointments to the FSCAC board.
During its meeting today, FSCAC members discussed a number of areas that it could focus on over the next year, but ultimately voted to approve two focus areas that were high on most of the board members’ lists of priorities.
The first of those is to “identify challenges and propose solutions around the barrier to entry” for cloud service providers (CSPs) “with a focus on small businesses, 3PAOs [third party assessment organizations], small and large agencies.”
This focus area also will incorporate the goal of evaluating and providing guidance on “a minimum risk threshold /minimum acceptability standardized baseline for sponsoring agencies and 3PAOs.”
The second main focus area for the next year is to “consider ways to expedite the certification process – explore agile authorizations and other potential cost reductions, both labor and financial.”
Like the first focus area, the second area also will incorporate evaluating and providing guidance on “a minimum risk threshold /minimum acceptability standardized baseline for sponsoring agencies and 3PAOs.”
The FedRAMP program has been operated by GSA since 2011 to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.