The present and future of FedRAMP

The General Services Administration's Federal Risk and Authorization Management Program (FedRAMP) team is "setting the foundation of the program for the next five to ten years" with a focus on automation and streamlining processes for both providers and customers, according to the acting director of the program.

Brian Conrad, who began leading the FedRAMP team in 2018 as its acting director and previously served as chief information officer for the Department of Defense, said the program – which is meant to ensure that government cloud service providers follow federal security standards – has approved 276 providers since it was launched more than 10 years ago. 

“We want to make sure that cloud providers are continually protecting federal information,” Conrad said at FCW’s FedRAMP Summit on Wednesday, noting how FedRAMP approvals have been reused more than 4,100 times -- a key feature of the program's design. 

The FedRAMP program has matured over the years in collaboration with the National Institute of Standards and Technology, which recently issued updated guidance for agencies addressing potential vulnerabilities among software and cloud providers. 

In addition to further leveraging automation and introducing new initiatives like low impact software-as-a-service, Conrad said his team was also in discussions with the Cybersecurity and Infrastructure Security Agency (CISA) about potentially adding data to the agency's Continuous Diagnostics and Mitigation dashboard about cloud services and risks.

“Understanding that agencies are using the cloud as an extension of their enterprise, having that information on the cloud provider's continuous monitoring sent directly to the agencies, we feel is an important step,” Conrad said. 

Judy Baltensperger, program manager of CISA's CDM dashboard, later suggested her support for the idea of providing agencies with data the agency already collects around cloud service providers. 

“At the moment it is visible to ourselves only,” she said. “I think what we need to evolve to, and I imagine agencies will be asking [for], is to get visibility into it as well.”

FedRAMP enjoyed a boost to its automated validation efforts earlier this year when it accepted the first Open Security controls assessment Language (OSCAL) formatted System Security Plan (SSP) from a FedRAMP-authorized cloud service provider, a "huge milestone" which allows the program to move forward with its automation objectives, according to Conrad.

But the program still features its own issues: Government Accountability Office reports have noted that agencies continue to approve cloud projects without first vetting those initiatives through FedRAMP, in part due to the reported hurdles around compliance and the costs to become a FedRAMP-authorized provider.

Still, officials said on Wednesday that the program has served as an effective tool for agencies in their efforts to bolster national cybersecurity – particularly following the ambitious cyber executive order the White House issued last year. 

“The FedRAMP program certainly helps with the aggressive timelines that we are facing with the cyber executive order,” Commerce Department CIO Andre Mendes said during a panel on FedRAMP modernization and agency digitalization, adding that agencies can focus on achieving the goals outlined in the order “in a much more aggressive manner” when it works with verified providers.