Cloud

FedRAMP tweaks programs to speed authorizations

Shutterstock image: Cloud concept.

The Federal Risk and Authorization Management Program is making it easier for cloud service providers to be considered for the FedRAMP Forward program that prioritizes provisional authorizations.

Vendors will now be able fill out a web form for the Joint Authorization Board detailing their businesses cases and providing specific information on preferred characteristics outlined in the JAB P-ATO Prioritization Criteria.

“Previously, it was a document that everyone had to fill out that was rather lengthy,” FedRAMP Director Matt Goodrich said during a July 13 webinar to explain the changes.  “You can save your web form and complete your business case gradually, so this is something that you can come back to repeatedly and continue to refine.

The business case form also will allow vendors to submit attachments with service descriptions and proof of awards or certifications they have received.

“We are really looking for [the vendors] to provide the evaluators ... with an understanding of your value to the federal government,” Goodrich said. 

Goodrich urged cloud service providers to think about the “customer journey” and the end users who are employing a cloud-based product to complete their missions.

Lastly, FedRAMP is requiring all CSPs to show current or potential demand for their products.  It is specifically looking to get confirmation that agencies are requesting and using the CSP's cloud services through requests for information or quotations agencies have submitted.

Of the first round of CSPs selected for JAB prioritization in May, Goodrich said five of the seven vendors had about 10 customers and the two other providers had approximately 14 potential customers, based on RFIs and RFQs.

“We are truly looking at the most amount of demand for most customers or systems,” Goodrich said.  “But all things being equal, the FedRAMP Ready and JAB [preferential criteria] will become major considerations when selecting successful vendors for this process.”

FedRAMP businesses cases and accompanying attachments are due Aug.  25.

On July 13, FedRAMP also made proposed requirements for the FedRAMP Tailored baseline available for public comment.  FedRAMP Tailored is a new set of regulations for low-impact service providers.

Changes make personally identifiable information only necessary at login, outline a continuous monitoring policy and provide baseline information on how CSPS can attest to each control and the scope of which types of software-as-a-service applications can be considered low risk.

Industry stakeholders can provide comments on the revised FedRAMP Tailored process on a GitHub page.  The final version of the regulations is expected by the end of the summer.

In addition, major changes could be coming to the FedRAMP process as a whole.  The General Services Administration released an RFI on July 11 asking for feedback on the authority-to-operate process CSPs need to complete to get FedRAMP approval.

GSA is looking for ready-made tools that could be used to automate the ATO process and support federal projects already in progress such as GSA’s Continuous Diagnostics and Mitigation program and the Department of Homeland Security’s Ongoing Authorizations priorities.

Interested stakeholders are asked to provide information on solution deployment models, interoperability with other tools, past customers who might be willing to speak with GSA, opportunities for agencies to buy the services and prices.

Responses to the RFI are due July 25. More information on the details requested by GSA can be found here.

This article first appeared on GCN, a sister site to FCW.

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at sfriedman@gcn.com or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group