Skip to main content

Blog

A New Roadmap for FedRAMP

March 28 | 2024

A New Roadmap for FedRAMP

Today, the FedRAMP program is releasing a roadmap, to convey our strategic goals and how we’re prioritizing our work in the near term to drive progress against them.

In recent years, there has been a significant public focus on modernizing FedRAMP. In 2022, Congress passed a new law codifying the program. In 2023, the White House Office of Management and Budget (OMB) released a draft policy memorandum proposing significant changes to program operations and governance. Broadly, these changes have been intended to keep what’s worked well about FedRAMP, while creating a runway for the program to adapt to change, now and into the future.

And that makes sense, because a lot has changed since FedRAMP was created in 2011. At that time, the federal government was overwhelmingly focused on making sure agencies could benefit from the explosion in commercial, cloud-based computing infrastructure that was transforming how enterprises around the world thought about building and scaling software. FedRAMP proved critical to creating a well-lit path to bring that cloud computing infrastructure into government, where its use is now widespread.

Today, what federal agencies need from FedRAMP is not only computing infrastructure, but everything that’s being built on top of it. Modern enterprises today run on a kaleidoscope of cloud-based applications, large and small. It is critical that FedRAMP be well-positioned to make sure federal agencies get the full benefit of these software-as-a-service (SaaS) cloud offerings.

While SaaS applications are used in government, and FedRAMP does have some in its marketplace, it’s not nearly enough and it’s not working the way that it should. We know that for many companies, especially software-focused companies, it takes too much time and money to get a FedRAMP authorization. And we’re particularly cognizant that we need to scale and automate our own processes beyond where they’re at now if we want to meaningfully grow the FedRAMP marketplace.

Our roadmap lays out our 4 primary goals:

  • Orienting around the customer experience. We’ll simplify the process for cloud providers, and make the results more useful for agencies. As we do that, we want our conception of how much time and money it costs to go through FedRAMP to match our customers’ lived experience as closely as possible.
  • Cybersecurity leadership. FedRAMP is a security and risk management program. We’ll make our security expectations clearer and more consistent for every kind of FedRAMP authorization. At the same time, we’ll start and continue updating FedRAMP policies to make sure a too-rigid approach doesn’t get in the way of real-world security.
  • Scaling a trusted marketplace. We’ll develop clear processes with trusted authorizing partners that cut down on unnecessary reviews at GSA. At the same time, FedRAMP will centrally take on more post-authorization monitoring and automate as much of it as possible.
  • Smarter, technology-forward operations. We’ll build a data-first, API-first foundation for FedRAMP by putting the tools, specs, and services in place to create and share digital authorization packages and other information.

Our roadmap contains some specific initiatives we’re undertaking to make concrete progress against these goals:

  1. An agile approach to change management. FedRAMP needs to enable agile software delivery of security improvements and other features. To do this, we plan to replace the “significant change request” process with an approach that does not require advance approval for each change. We’ll start by piloting a new process with interested authorized cloud providers, and use the pilot to finalize broader guidance.
  2. Publish new, customer-oriented program metrics. If we are going to impact the cost of FedRAMP and how long it takes to get and stay authorized, we need a better way to measure those things, informed by what our customers are actually experiencing. Likewise, we need to refine our understanding of our agencies’ customers’ experience and focus on ensuring they can efficiently and securely leverage cloud services to meet their mission needs. We plan to survey customers about their experience, soon and at a regular cadence, and to update FedRAMP’s formal performance metrics based on this survey to align with customer outcomes.
  3. Define FedRAMP’s core security expectations. A central challenge of FedRAMP is to accommodate varying risk tolerances across agencies, while still setting a high enough bar for its authorizations to broadly support agency reuse without additional work. We plan to make progress here by more clearly defining the outcomes we expect all types of authorizations to meet. We will also work closely with the Cybersecurity and Infrastructure Security Agency (CISA) to develop and deploy the best protections for and minimize the risk to the federal enterprise. By combining this with more public documentation and examples of how cloud providers meet FedRAMP’s security goals, we can also streamline the authorization process overall.
  4. Keeping FedRAMP policies focused on outcomes. As a security-first program, FedRAMP needs to care not only about what is required, but about how those requirements can be reasonably applied and how they work out in practice. FedRAMP will hold cloud providers to a high standard informed by how implementation best practices have evolved, and that provides the flexibility needed to stay focused on security outcomes. We’ll start with updated guidance in a few areas that we know are particular authorization pain points now (such as FIPS 140, DNSSEC, and external service integrations), and set up a regular process for understanding where to focus over time.
  5. Increase the authorizing capacity of the FedRAMP ecosystem. We will work with trusted authorizing partners to align our processes and eliminate the need for extensive per-package review by the program. We will be piloting this approach with our partners at DISA who serve as the Cloud Authorizing Official for the Department of Defense. More generally, we will be supporting OMB and the FedRAMP Board in convening joint authorization groups, who we expect to be strong candidates for this streamlined approach.
  6. Move to digital authorization packages. While a full migration will take time, FedRAMP needs to operate as a data-first program for its processes to scale. We will define machine readable packages, in OSCAL, and provide the guidance and tools to help our customers create and share them. Our goal is to leverage automated validation and assessment of packages, as well as system-to-system integration with our FedRAMP governance, risk, and compliance (GRC) platform to modernize and scale. We will work with interested cloud providers to pilot creating these packages and incorporating them into the authorization process in partnership with interested agencies.

There are other things we’re working on too, like exploring reciprocity with external frameworks, and partnering with our colleagues at CISA on scaling secure configuration guides and threat sharing. Take a look at our published roadmap for more details.

We’re hoping to see a number of outcomes from our efforts over time. We expect our industry providers to be able to more effectively deploy changes, and our agency partners to see more features – including security features – faster. We expect to stabilize our review “backlog”, and keep it stabilized over the long term. We expect cloud providers, agencies, and third party assessors to have a better understanding of our security requirements, leading to higher quality packages and ultimately greater trust in the FedRAMP program.

Most importantly, we want to understand early what’s working and what’s not so that we can adapt our work and priorities as we go. That’s why we’re planning to initiate pilots and deliver minimum viable products (MVPs) early wherever we can, and why we’ll be checking in with customers throughout the process.

These initiatives will take real time and resources, so as we move out on them, you may notice some shifts in how it feels to work with us. At least for a time, we’ll be less available for ad hoc calls and individualized service, as we focus on what we believe are more foundational changes that will improve the customer experience for everyone. Similarly, we will be doing fewer one-off communications and events, but when you do hear from us, it will be more significant, including updates to our overall roadmap at least a couple times each year. We’ll continue to ask for public comments on significant changes, including occasional public forums, so that we can incorporate your feedback throughout.

Coming up next, we’ll be engaging on this roadmap and kicking off recruiting efforts for a new FedRAMP Director and other roles. Some dates to be aware of:

  • April 1st and 3rd: GSA will hold information sessions on April 1 and April 3 about the upcoming FedRAMP Director role.
  • Later in April: The role of FedRAMP Director will open for applications on USAJobs.
  • April 11: FedRAMP will hold a public forum to present and take questions on its updated roadmap.
  • April 18th: FedRAMP will be at the “Tech to Gov” hiring fair, where we’ll be looking for technology talent that can help us build the data- and API-driven FedRAMP of the future and support FedRAMP’s prioritization of generative AI and emerging technologies.

Back to Blogs