New FedRAMP roadmap details imminent plans for modernization
Citing the need to evolve beyond the computing infrastructure support system capabilities that have been its hallmark since 2011, the FedRAMP program on Thursday released a new roadmap for how it intends to embrace modernization.
Modernizing the governmentwide compliance program for cloud services has been top of mind for Washington IT leaders in recent years, most notably with the passing of the FedRAMP Authorization Act in 2022 and the release of an Office of Management and Budget draft policy memorandum on overhauling program operations and governance in 2023.
The Thursday release of FedRAMP’s roadmap represents an acknowledgment from the program’s leadership that federal agencies have much more varied needs compared to at its launch 13 years ago when the top priority was easing the path for cloud computing infrastructure’s implementation into the federal government.
“It is critical that FedRAMP be well-positioned to make sure federal agencies get the full benefit of these software-as-a-service (SaaS) cloud offerings,” the FedRAMP program office said in a blog post.
“While SaaS applications are used in government, and FedRAMP does have some in its marketplace, it’s not nearly enough and it’s not working the way that it should. We know that for many companies, especially software-focused companies, it takes too much time and money to get a FedRAMP authorization. And we’re particularly cognizant that we need to scale and automate our own processes beyond where they’re at now if we want to meaningfully grow the FedRAMP marketplace.”
The roadmap features four primary goals as part of its modernization push: centering FedRAMP around customer experience, positioning the program as a cybersecurity and risk management leader, substantially scaling the size and scope of the marketplace, and bolstering the program’s effectiveness through the use of automation and other “technology-forward operations.”
For fiscal year 2024, FedRAMP aims to check off 10 boxes related to its four primary goals, including the release of updated guidance on FIPS 140, the formation of initial joint authorization
groups, the launch of a pilot for machine-readable “digital authorization packages” with cloud providers and federal agencies, and the proposal of new key performance metrics, among others.
In the first and second quarters of fiscal 2025, FedRAMP plans to incorporate the Cybersecurity and Infrastructure Security Agency’s Secure Cloud Business Applications (SCuBA) guidelines into secure configuration profiles, publish “low-review FedRAMP authorization criteria” and begin migration to a new FedRAMP platform.
As part of the rollout of its roadmap, FedRAMP on April 11 will host a public forum and answer questions about the updated plan. And at some point next month, the organization will open the application process on USAJobs.gov for a new FedRAMP director, after its most recent chief, Brian Conrad, departed.
