Cloud

FedRAMP tweaks programs to speed authorizations

Shutterstock image: Cloud concept.

The Federal Risk and Authorization Management Program is making it easier for cloud service providers to be considered for the FedRAMP Forward program that prioritizes provisional authorizations.

Vendors will now be able fill out a web form for the Joint Authorization Board detailing their businesses cases and providing specific information on preferred characteristics outlined in the JAB P-ATO Prioritization Criteria.

“Previously, it was a document that everyone had to fill out that was rather lengthy,” FedRAMP Director Matt Goodrich said during a July 13 webinar to explain the changes.  “You can save your web form and complete your business case gradually, so this is something that you can come back to repeatedly and continue to refine.

The business case form also will allow vendors to submit attachments with service descriptions and proof of awards or certifications they have received.

“We are really looking for [the vendors] to provide the evaluators ... with an understanding of your value to the federal government,” Goodrich said. 

Goodrich urged cloud service providers to think about the “customer journey” and the end users who are employing a cloud-based product to complete their missions.

Lastly, FedRAMP is requiring all CSPs to show current or potential demand for their products.  It is specifically looking to get confirmation that agencies are requesting and using the CSP's cloud services through requests for information or quotations agencies have submitted.

Of the first round of CSPs selected for JAB prioritization in May, Goodrich said five of the seven vendors had about 10 customers and the two other providers had approximately 14 potential customers, based on RFIs and RFQs.

“We are truly looking at the most amount of demand for most customers or systems,” Goodrich said.  “But all things being equal, the FedRAMP Ready and JAB [preferential criteria] will become major considerations when selecting successful vendors for this process.”

FedRAMP businesses cases and accompanying attachments are due Aug.  25.

On July 13, FedRAMP also made proposed requirements for the FedRAMP Tailored baseline available for public comment.  FedRAMP Tailored is a new set of regulations for low-impact service providers.

Changes make personally identifiable information only necessary at login, outline a continuous monitoring policy and provide baseline information on how CSPS can attest to each control and the scope of which types of software-as-a-service applications can be considered low risk.

Industry stakeholders can provide comments on the revised FedRAMP Tailored process on a GitHub page.  The final version of the regulations is expected by the end of the summer.

In addition, major changes could be coming to the FedRAMP process as a whole.  The General Services Administration released an RFI on July 11 asking for feedback on the authority-to-operate process CSPs need to complete to get FedRAMP approval.

GSA is looking for ready-made tools that could be used to automate the ATO process and support federal projects already in progress such as GSA’s Continuous Diagnostics and Mitigation program and the Department of Homeland Security’s Ongoing Authorizations priorities.

Interested stakeholders are asked to provide information on solution deployment models, interoperability with other tools, past customers who might be willing to speak with GSA, opportunities for agencies to buy the services and prices.

Responses to the RFI are due July 25. More information on the details requested by GSA can be found here.

This article first appeared on GCN, a sister site to FCW.

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at sfriedman@gcn.com or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.