FedRAMP’s new director has big plans for the cloud compliance program
After deciding on a rocky mountain pass near Mt. Hood in Oregon earlier this year that he would join the General Services Administration as the agency’s new FedRAMP director, Pete Waterman has wasted no time in pursuing a slew of changes for the cloud services compliance program.
In an interview with FedScoop, Waterman said he’s planning to dedicate the next several years of his career to ushering in those changes, including with an updated FedRAMP roadmap coming in the next two months and the introduction of a minimum viable program authorization.
For Waterman, a former Technology Modernization Fund adviser and U.S. Digital Service engineer, the intent is to eliminate any distinction of quality between authorizations and bring the “same high watermark that says, ‘This meets the expectation for reuse across the government.’”
The “number one priority” for FedRAMP and the program management office is to keep the agency authorization pipeline moving, Waterman said, noting that the current wait time to review applications is “over 20 weeks.”
Waterman said last year the program conducted 50 agency authorizations, 10 more than the previous fiscal year. Going forward, he said that the program needs to not only keep that pace but spend “as much time as possible” with other staff to improve the quality of incoming packages so review times are quicker.
Waterman said the program authorization process needs to be “vigorous, repeatable, transparent and defensible,” as well as supported and enhanced by industry, aligned with agency interests and “backed by the full weight of the federal government as a trusted authorization.”
Waterman emphasized the need to meet a certain standard and “then we have to agree how to prioritize that against agency authorizations, because they’ll share the same resources on my team to do program authorizations and agency authorizations.” He hopes that these plans will reach the public by the end of the calendar year.
“I really want to get that process dialed in and implemented and start turning authorizations through it sometime in fiscal year ’25,” Waterman said. “There’s a whole bunch of other things that we have to do; there’s so many that we’re still prioritizing, we’re still assessing and we’re still trying to fit them in. There’s little things that will have significant impacts.”
Everything Waterman wants to do with authorizations underscores his belief that it’s critical for FedRAMP to engage with industry. Moving documents into machine-readable formats and being as transparent as possible aligns with those plans. Waterman said he encourages anyone to share questions, experiences or tools with the program team through his email pete@fedramp.gov, and he’s personally carving out “a couple hours twice a week” to read through mail.
“I think the FedRAMP circle of all these people, it deserves that kind of openness and honesty and it’s hard sometimes,” Waterman said. “I might have to say something that people don’t want to hear. I might have to say we’re deprioritizing a policy, or an authorization will take longer than somebody planned, or that we’re not going to have the guidance when we thought we’re going to have it because it turned out to be harder than we thought.”
He continued: “It’s how I’m approaching this long term: collaborative, transparent and trying to build things with our partners rather than trying to build things for our partners.”
Waterman said his vision for the program entails less risk, complexity and time for agency adoption of cloud services with both the government and industry to reap the benefits of a cheaper, better and easier process for cloud service providers.
The updated roadmap will touch on that and serve as another next step for the program. “It’s a long road to get the program ideal laid out in that memo, and I’m super behind it,” Waterman said. The FedRAMP team has to go about enhancing the program methodically, consistently and continuously to deliver small capabilities “rather than take a more traditional path,” he added.
“My intent is that as we begin to work on different initiatives, the public will be involved,” Waterman said. “Industry will know that communication will exist and you’ll be able to see how and why we’re prioritizing the work that we’re prioritizing and contribute. You’ll be able to contribute, help us with the work, tell us if you disagree with our prioritization and we’ll see how that type of transparency works.”
