FedRAMP tweaks programs to speed authorizations

The Federal Risk and Authorization Management Program is making it easier for cloud service providers to be considered for the FedRAMP Forward program that prioritizes provisional authorizations.

Vendors will now be able fill out a web form for the Joint Authorization Board detailing their businesses cases and providing specific information on preferred characteristics outlined in the JAB P-ATO Prioritization Criteria.

“Previously, it was a document that everyone had to fill out that was rather lengthy,” FedRAMP Director Matt Goodrich said during a July 13 webinar to explain the changes.  “You can save your web form and complete your business case gradually, so this is something that you can come back to repeatedly and continue to refine.

The business case form also will allow vendors to submit attachments with service descriptions and proof of awards or certifications they have received.

“We are really looking for [the vendors] to provide the evaluators ... with an understanding of your value to the federal government,” Goodrich said. 

Goodrich urged cloud service providers to think about the “customer journey” and the end users who are employing a cloud-based product to complete their missions.

Lastly, FedRAMP is requiring all CSPs to show current or potential demand for their products.  It is specifically looking to get confirmation that agencies are requesting and using the CSP's cloud services through requests for information or quotations agencies have submitted.

Of the first round of CSPs selected for JAB prioritization in May, Goodrich said five of the seven vendors had about 10 customers and the two other providers had approximately 14 potential customers, based on RFIs and RFQs.

“We are truly looking at the most amount of demand for most customers or systems,” Goodrich said.  “But all things being equal, the FedRAMP Ready and JAB [preferential criteria] will become major considerations when selecting successful vendors for this process.”

FedRAMP businesses cases and accompanying attachments are due Aug.  25.

On July 13, FedRAMP also made proposed requirements for the FedRAMP Tailored baseline available for public comment.  FedRAMP Tailored is a new set of regulations for low-impact service providers.

Changes make personally identifiable information only necessary at login, outline a continuous monitoring policy and provide baseline information on how CSPS can attest to each control and the scope of which types of software-as-a-service applications can be considered low risk.

Industry stakeholders can provide comments on the revised FedRAMP Tailored process on a GitHub page.  The final version of the regulations is expected by the end of the summer.

In addition, major changes could be coming to the FedRAMP process as a whole.  The General Services Administration released an RFI on July 11 asking for feedback on the authority-to-operate process CSPs need to complete to get FedRAMP approval.

GSA is looking for ready-made tools that could be used to automate the ATO process and support federal projects already in progress such as GSA’s Continuous Diagnostics and Mitigation program and the Department of Homeland Security’s Ongoing Authorizations priorities.

Interested stakeholders are asked to provide information on solution deployment models, interoperability with other tools, past customers who might be willing to speak with GSA, opportunities for agencies to buy the services and prices.

Responses to the RFI are due July 25. More information on the details requested by GSA can be found here.

This article first appeared on GCN, a sister site to FCW.