As the White House’s Office of Management and Budget (OMB) works to modernize the Federal Risk and Authorization Management Program (FedRAMP), one OMB official said this week that the agency is looking to scale the FedRAMP Marketplace and create new authorization paths.
FedRAMP aims to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal agencies.
OMB released draft guidance in October to modernize FedRAMP – which is run by the General Services Administration (GSA) – and replace existing policy created for the program when it began in 2011.
Laura Gerhardt, a supervisory policy analyst and the director of technology modernization and data at OMB, said that OMB is currently reviewing over 160 comments on the draft guidance.
“[We’re] really looking in particular at how do we make sure we scale the marketplace because right now there are only around 300 different products or service offerings,” Gerhardt said at the GovernmentDX event in Washington on April 18. “I think both industry and agencies know there’s so much more we want to use, and there’s so much more we should be using.”
“So, we’re really looking at ways that we can create new authorization paths so we’re not compromising security – if anything we’re trying to hone in the processes so they’re laser-focused on good security outcomes,” she added. “That’ll build confidence within agencies to leverage the reuse, making sure we’re having conversations about prioritization.”
For example, Gerhardt said that following President Biden’s AI executive order, OMB is now looking at ways to prioritize generative AI capabilities, as well as process automation.
Automation will help to alleviate the documentation burden when it comes to FedRAMP, allowing Federal agencies to focus on driving security outcomes.
“I know even last week, GSA had a whole week session of looking from a process perspective, where are there points in the journey maps of both agencies and industry providers that we can streamline that so FedRAMP isn’t the barrier, it’s like the stamp of approval of ‘I feel good about being able to use this product in government,’” Gerhardt said.
GSA is planning big changes to FedRAMP, and it released a new roadmap last month outlining how the program will evolve in the next 18 months – focusing on key goals such as automation and customer experience.
“This roadmap is the new vision that we need – and that both buyers and sellers expect – from the clearinghouse and driver for secure, cloud-based services for government,” GSA Administrator Robin Carnahan said following the roadmap’s release. “We’re going to build technical capacity and expertise, more clearly define security expectations, establish reciprocity where it makes sense, and focus on automation and continuous monitoring while helping agencies get the secure cloud innovations they need to deliver.”
