The FedRAMP Agile Delivery Pilot
July 10 | 2024
By Ryan Palmer and Samuel Leestma
Today, FedRAMP is launching a new pilot program, rooted in iterative development and customer engagement.
Our first pilot effort will be on a new non-blocking process for reviewing significant changes, with an initial focus on new feature additions to existing cloud service offerings (CSOs). As we discussed in our roadmap release, the goal is to eventually replace the current “significant change request” process with an approach that does not require advance approval for each change. We’re piloting this approach because we believe the same security outcomes can be achieved by an alternative approach that empowers cloud providers to continuously deliver and assess improvements using secure and agile delivery and deployment practices.
Kicking off with the Agile Delivery pilot
We have seen significant interest in our Agile Delivery pilot. The data gathered from this pilot will help inform program-wide changes to streamline the current processes for change management. Our long-term goal is to shift the FedRAMP process to one that is based on continuous assessment rather than assessing point-in-time snapshots.
Currently, cloud service providers (CSPs) must go through independent testing and FedRAMP approval before rolling out security-relevant changes. While this process helps ensure security impacts are understood in advance, it adds unpredictability and delay to the act of product improvement, creating risks and opportunity costs. Agencies may see significant delays before getting access to features – including security features – that can help them deliver on their mission. CSPs may create government-specific offerings that lag behind their commercial offerings, or elect not to enter the FedRAMP Marketplace at all, so as not to delay development and improvement of their core product.
The Agile Delivery pilot intends to ensure that agencies can leverage the latest features and services while removing the roadblocks for CSPs to bring these features to market.
Agile Delivery pilot prerequisites
CSPs who have a new feature they plan to release before December 31, 2024, are encouraged to apply. CSPs should have mature automated configuration management and change management processes, whose details they are willing to share with FedRAMP.
FedRAMP will work with the CSP and their authorizing official (AO) to determine participation, targeting around 20 participants with different approaches. Pilot participants must continue to inform agencies of the changes, provide self-assessment artifacts, and undergo independent testing by January 31, 2025.
To limit the scope and potential impact of changes to agencies, new features launched as part of this pilot must be opt-in. Opt-in features should not be required for the rest of the offering to function, and agency customers must proactively decide to use that service or feature. Additionally, changes to the fundamental underlying architecture, or new security control implementations that apply to the entire offering, will be excluded from the pilot. For the purposes of this pilot, agencies must choose to use the new feature and the new feature cannot change the:
- system’s fundamental architecture,
- types of components used such as databases, operating systems, or containers,
- tooling used to configure, secure, and scan those components, and
- customer responsibilities for existing features or services.
Please visit our pilot program web page for more information on how to apply. FedRAMP will accept applications from now through July 26, 2024, and will work with the CSP and agencies to make selections by August 16, 2024.
Stay informed
Remember, our pilot program web page will house information about our pilots. Email us at pilots@fedramp.gov to drop us a line if you have questions.