GSA moves forward on overhaul of FedRAMP priorities
Is it possible to move mountains, both “practically and bureaucratically,” within six months of a new political appointment in civic technology? Half a year into his tenure as executive director for cloud strategy within the General Services Administration’s Technology and Transformation Services, Eric Mill believes that he and his team have done just that.
In an interview with FedScoop, Mill called the GSA a “very open source-leading organization,” pointing specifically to the agency’s FedRAMP work. Based on having a decade of federal government experience, Mill said GSA’s open-source embrace “is one of those under-observed, under-appreciated force multiplier things that makes an agency much more effective and amortizes a lot of risk by just engaging out there in the open and getting, not just even feedback, but like fixes and help and things from the public in a way that it is just organically aligning everybody’s incentives.”
After releasing a FedRAMP roadmap in March and announcing a slew of advisory and governance boards, Mill said the GSA is currently working through a pair of pilot projects, adding to its technical talent capacity and finalizing an artificial intelligence task laid out by the White House in President Joe Biden’s October AI executive order.
Upcoming pilots
The first pilot Mill addressed involves secure software development tied to FedRAMP’s significant change request process, and the second is a partnership with the Defense Information Systems Agency for a “trusted authorizing partner approach,” offering a speedier timeline with the same level of scrutiny for review.
TTS wants to enable better secure software outcomes and ensure an agile delivery cadence through the significant change request program, which Mill said could look like the review portion of the FedRAMP process being moved “left of the timeline” in order to allow general oversight instead of the existing blocking approval step on a per-change basis.
“In terms of the government security interest in FedRAMP, we want to enable what we know leads to better software development outcomes,” Mill said.
Mill said that DISA has been “really vocal” about aligning efforts with the GSA and having both teams work together to develop understanding, confidence and agreement to ensure structure and quality for the product of DISA’s process. Additionally, this contributes to quickening the authorization timeline.
“We’ll have done more work upfront to buy ourselves a higher confidence, more detailed working relationship between our teams that we are chopping off a considerable amount of time … on a per-authorization basis,” Mill said.
Recruiting tech capacity
While the GSA is in the final stages of hiring a FedRAMP director, the agency is continuing its work to recruit additional tech talent for different positions that the agency expects to be crucial for “building out the future of how FedRAMP both organizes and asks itself questions inside,” Mill said. “But just as importantly, builds out the infrastructure for us to automate.”
The GSA was at a recent Tech to Gov job fair, an event led by the Office of Personnel Management to bring technical talent into the government rapidly. Mill said the agency was there to recruit individuals with AI-related skills— which includes generative AI and data science. Those skills, he said, are applicable to enhancing the FedRAMP program.
“For better, or worse, I will happily say mostly worse, we traffic in a lot of multi-hundred page Word documents and PDFs,” Mill said. “It’s not the best from a data perspective.”
The agency, in response, is moving to a machine-readable approach to authorizations and documentation. Mill’s team expects that shift will improve the use of the information that is currently accessible to the agency.
Checking AI EO boxes
The GSA is also finalizing a task laid out by the AI executive order that will formalize how the agency prioritizes emerging technologies in the FedRAMP ecosystem, Mill said.
“It’s a task in the EO, but one that we’re happy to take on here,” Mill said. “We really do believe that these technologies are ones that can improve service delivery and improve the way that the government operates, and we want to make sure that we’re not sitting on the sidelines here and that we were able to do this thing.”
That prioritization framework will be the first of its kind for FedRAMP.
“GSA has operated FedRAMP, to date, as a first-in, first-out program,” Mill said. “That’s really important from a fairness perspective and predictability perspective, but there are priorities in the world as the world continues to change and as the government has different needs.”
