A recent announcement regarding the Federal Risk and Authorization Management Program (FedRAMP) has garnered praise from analysts for its ambitious speed goals. However, there are concerns about the lack of clarity in execution details, leaving vendors uncertain about how it will address the delays, directives, and rules that currently hinder cloud service sales to the federal government.
FedRAMP, established in 2011 under President Barack Obama, was designed to standardize cloud security assessments for federal agencies and promote the adoption of cloud services. While it has been successful in these areas, FedRAMP has struggled with slow and expensive processes, bureaucratic bottlenecks, backlogs, and overlapping requirements.
The new FedRAMP 20x initiative, led by the General Services Administration, aims to collaborate with private sector partners to develop a cloud-native security assessment model. This model will focus on automated monitoring, implementing best practices, and meeting federal security requirements. The program plans to automate over 80% of FedRAMP controls without requiring detailed documentation.
In March, the program office released a blog post outlining four primary goals for FedRAMP 20x, including providing clear security expectations, simplifying processes for cloud providers, scaling a trusted marketplace, and establishing a data-first, API-first foundation for FedRAMP. Despite the positive reception from industry experts regarding the push towards automation, there are concerns about the lack of specific details on how the changes will be implemented.
Some industry professionals worry that the changes could introduce new uncertainties and disrupt companies in the middle of the authorization process. To address these concerns, FedRAMP officials plan to create community working groups to facilitate direct engagement with industry experts and develop solutions that align with FedRAMP standards.
John Allison, a senior director at Optiv + ClearShark, expressed both excitement and apprehension about the potential impact of automation on FedRAMP processes. While automation has the potential to reduce costs and timelines, companies may face disruptions during the transition, and agencies may need to take on more responsibilities until new tools are in place.
Jacob Horne, chief cybersecurity evangelist for Summit 7, emphasized the importance of ensuring that critical controls are not overlooked in the automation process. He noted that while the goals of FedRAMP 20x are promising, more details are needed to assess the potential impact on security assurance.
The General Services Administration and the FedRAMP program office have yet to provide specific details on how the automation will be implemented and the ultimate goal of increasing assurance in the FedRAMP program. Despite requests for comment, there has been no response from the agencies involved.
Overall, industry experts and cybersecurity professionals are cautiously optimistic about the potential benefits of automation in FedRAMP processes. While there are concerns about the lack of clarity in execution details, there is hope that the initiative will ultimately streamline cloud approvals and enhance security practices within the federal government.