FedRAMP’s ‘year of refinement’ emphasizes improvements to continuous monitoring

In 2018, the office is looking to fine-tune the guidance it’s using to connect cloud service providers with federal agencies.
Ashley Mahan speaks May 17, 2017, at the Public Sector Innovation Summit presented by VMware and produced by FedScoop and StateScoop. (FedScoop)

Last year, the Federal Risk and Authorization Management Program moved to streamline how it authorized the cloud service providers that contract with federal agencies. In 2018, it’s looking to fine-tune the guidance that CSPs use to meet the needs of those agencies.

The process includes new guidance adjustments, released last week, on how FedRAMP judges compliance with continuous monitoring rules. CSPs must maintain an appropriate level of “ConMon” for threats and intrusions as part of their cybersecurity risk postures.

“This is kind of a year of refinement for us,” said Ashley Mahan, FedRAMP’s agency evangelist, speaking with FedScoop at a Feb. 1 Government Information Technology Executive Council event.

Overseeing CSPs’ compliance with continuous monitoring has been a big cost driver for FedRAMP. Director Matt Goodrich said in December that the office spends 75 percent of its security budget on it. With the new guidance, FedRAMP is looking to not only streamline those requirements, but also improve compliance.


“We’re helping all of our customers understand FedRAMP, helping them navigate through the program and give them everything they need to successfully issue those authorizations and also for industry to successfully work with agencies in the FedRAMP way,” Mahan told FedScoop.

The new guidance also included updates to cryptographic protocols like Transport Layer Security and identity management standards from the National Institute of Standards and Technology.

“Basically, it was a response to a lot of industry and agency feedback with wanting to provide additional details and guidance about certain requirements,” Mahan said.

Incorporating that feedback is part of FedRAMP’s broader goal in 2018 to open up cloud adoption, including trainings for agency information security systems personnel to help empower them more through the authorization process.

“I think what we really want to do this year, especially from an agency standpoint, we really want to increase the number of agencies using cloud technologies,” Mahan said. “We’ve heard from our customers that the authorization process can be lengthy, and we really want to show them that it doesn’t have to be that way.


“We’re going to show you the best practices and empower you to go through these authorizations in a quick and informative way.”

Carten Cordell

Written by Carten Cordell

Carten Cordell is a Senior Technology Reporter for FedScoop. He is a former workforce and acquisition reporter at Federal Times, having previously served as online editor for Northern Virginia Magazine and Investigative Reporter for, Virginia Bureau. Carten was a 2014 National Press Foundation Paul Miller Fellow and has a Master’s degree from the Medill School of Journalism at Northwestern University. He is also a graduate of Auburn University and promises to temper his passions for college football while in the office.

Latest Podcasts