Cloud

FedRAMP tweaks programs to speed authorizations

Shutterstock image: Cloud concept.

The Federal Risk and Authorization Management Program is making it easier for cloud service providers to be considered for the FedRAMP Forward program that prioritizes provisional authorizations.

Vendors will now be able fill out a web form for the Joint Authorization Board detailing their businesses cases and providing specific information on preferred characteristics outlined in the JAB P-ATO Prioritization Criteria.

“Previously, it was a document that everyone had to fill out that was rather lengthy,” FedRAMP Director Matt Goodrich said during a July 13 webinar to explain the changes.  “You can save your web form and complete your business case gradually, so this is something that you can come back to repeatedly and continue to refine.

The business case form also will allow vendors to submit attachments with service descriptions and proof of awards or certifications they have received.

“We are really looking for [the vendors] to provide the evaluators ... with an understanding of your value to the federal government,” Goodrich said. 

Goodrich urged cloud service providers to think about the “customer journey” and the end users who are employing a cloud-based product to complete their missions.

Lastly, FedRAMP is requiring all CSPs to show current or potential demand for their products.  It is specifically looking to get confirmation that agencies are requesting and using the CSP's cloud services through requests for information or quotations agencies have submitted.

Of the first round of CSPs selected for JAB prioritization in May, Goodrich said five of the seven vendors had about 10 customers and the two other providers had approximately 14 potential customers, based on RFIs and RFQs.

“We are truly looking at the most amount of demand for most customers or systems,” Goodrich said.  “But all things being equal, the FedRAMP Ready and JAB [preferential criteria] will become major considerations when selecting successful vendors for this process.”

FedRAMP businesses cases and accompanying attachments are due Aug.  25.

On July 13, FedRAMP also made proposed requirements for the FedRAMP Tailored baseline available for public comment.  FedRAMP Tailored is a new set of regulations for low-impact service providers.

Changes make personally identifiable information only necessary at login, outline a continuous monitoring policy and provide baseline information on how CSPS can attest to each control and the scope of which types of software-as-a-service applications can be considered low risk.

Industry stakeholders can provide comments on the revised FedRAMP Tailored process on a GitHub page.  The final version of the regulations is expected by the end of the summer.

In addition, major changes could be coming to the FedRAMP process as a whole.  The General Services Administration released an RFI on July 11 asking for feedback on the authority-to-operate process CSPs need to complete to get FedRAMP approval.

GSA is looking for ready-made tools that could be used to automate the ATO process and support federal projects already in progress such as GSA’s Continuous Diagnostics and Mitigation program and the Department of Homeland Security’s Ongoing Authorizations priorities.

Interested stakeholders are asked to provide information on solution deployment models, interoperability with other tools, past customers who might be willing to speak with GSA, opportunities for agencies to buy the services and prices.

Responses to the RFI are due July 25. More information on the details requested by GSA can be found here.

This article first appeared on GCN, a sister site to FCW.

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at sfriedman@gcn.com or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


Featured

  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/Shutterstock.com)

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.