FedRAMP's Roadmap Progress, One Quarter In
July 18 | 2024
Earlier this year, we released FedRAMP’s 2024-25 roadmap, where we talked about our vision for the program over the next one to two years, emphasizing our commitment to make it safe and easy for the U.S. government to take full advantage of cloud services to meet its mission.
In this post, we’ll cover some of the progress we’ve made over the last quarter, and a few things on the horizon. We anticipate doing periodic round-ups like this one over the course of the year as we continue to iterate on our priorities.
Open call to cloud providers for our Agile Delivery pilot
Last week, we opened applications for our Agile Delivery pilot. This is a pilot of a new non-blocking process for reviewing significant changes, with an initial focus on new feature additions to existing cloud service offerings.
As we discussed in our roadmap release, the goal is to eventually replace the current “significant change request” process with an approach that does not require advance approval for each change. We’re piloting this approach because we believe the same security outcomes can be achieved by an alternative approach that empowers cloud providers to continuously deliver and assess improvements using secure and agile delivery and deployment practices.
Cloud providers with mature agile delivery practices who have upcoming features that could qualify should apply by July 26, 2024. For more details, read our dedicated blog post on this pilot.
This pilot is the first of what we expect will be more pilot programs by FedRAMP, and stakeholders should visit our new Pilot Program site to stay up-to-date on participating in open opportunities.
Releasing automate.fedramp.gov
automate.fedramp.gov is a new technical documentation hub designed specifically to support cloud service providers (CSPs) in the development, validation, and submission of digital authorization packages, and the developers of governance, risk, and compliance (GRC) applications and other tools that produce and consume digital authorization package data.
The website is initially focused on documenting FedRAMP’s use of the Open Security Controls Assessment Language (OSCAL) to support digital authorization packages – a foundational piece of operating FedRAMP in a data-first way. We plan to expand the website over time as we bring new capabilities online, and it will eventually include details of how to integrate with FedRAMP’s package repository and submission processes.
For more details, you can read our dedicated blog post on it, or engage with us on it in our open source repositories.
Prioritizing generative artificial intelligence in the FedRAMP process
On June 27, we released the final Emerging Technology Prioritization Framework with an initial list of generative AI capabilities for prioritization.
The Emerging Technology Prioritization Framework outlines how FedRAMP will engage with government and industry to identify which emerging technologies to prioritize, how cloud providers can request that their services be prioritized, and how FedRAMP will determine which services to prioritize.
FedRAMP will open submissions for prioritization requests twice a year. Requests for prioritization by CSPs are voluntary. FedRAMP holds prioritized cloud services to the same security standards as all other cloud services, and reviews them in the same way. FedRAMP ensures prioritized cloud services are reviewed first in the authorization process. Requests will be evaluated against the qualifying and demand criteria to ensure prioritized technologies meet the goal of ensuring agencies have access to necessary emerging technologies. Initially, FedRAMP expects to prioritize up to twelve AI-based cloud services using this framework.
Cloud providers whose offerings meet the criteria described in the framework are encouraged to apply by August 31, 2024. See our blog post about the ET Framework for more details.
Starting our knowledge base
We’re working to publish more public documentation about how cloud providers can avoid running into issues and delays in the FedRAMP process. To start this off, we’re publishing our first knowledge base article on protecting government email addresses from being spoofed using DMARC (Domain-based Message Authentication, Reporting and Conformance). Especially for this first article, we welcome your feedback on the structure, clarity, and overall helpfulness of the content. As FedRAMP issues go, DMARC compliance is a relatively straightforward area, so we want to get the approach right as we develop knowledge base materials on more complex areas.
For now, we’ve published a draft of this article on the fedramp.gov website, but we plan to move it to a dedicated knowledge management system later this year. For now, you can make comments or suggest edits to the article via a pull request to the article content on GitHub. Email us at info@fedramp.gov with your suggestions for future articles.
Expanding our technical capacity
FedRAMP is going through a growth period, and we’ve been working to steadily bring on more technical capacity to the FedRAMP team. We’re in the process of hiring several new software engineers and data science professionals to support our automation and data analysis roadmap, as well as senior security professionals to support our continuous monitoring and authorization processes.
We’re also excited to be partnering with the U.S. Digital Corps, a two‑year fellowship program for early‑career technologists, to bring two fellows to the program. These individuals will grow alongside FedRAMP and contribute across our initiatives and operational work.
Increasing our technical capacity is not just about hiring - it is also about expanding the FedRAMP ecosystem. As we mentioned in our governance blog post, the Technical Advisory Group (TAG) was established by the Office of Management and Budget (OMB) and GSA, and is made up of federal employees with significant practitioner experience and expertise in modern cloud technology.
We’ve since met with the TAG multiple times to get their feedback on our roadmap initiatives, upcoming guidance, and other supporting content we’ve developed for our stakeholders.
What’s on the horizon
As we continue to build on our Q3 outcomes, we’re dedicated to keep moving forward towards the following milestones:
Streamlining reviews with our pilot trusted authorizing partner
Faster authorization timelines are essential to scale the marketplace. We continue to work with our partners at DISA on a pilot that will result in faster delivery to the marketplace and use by federal agencies. This pilot will ensure alignment of the Department of Defense’s processes to FedRAMP standards and streamline the FedRAMP review process. The goal of this pilot is to speed up the overall process for cloud providers that work through our trusted authorizing partners, and to create predictability and consistency between our processes and those partners.
Releasing new metrics for feedback
As we said when we released our roadmap, if we are going to impact the cost of FedRAMP and how long it takes to get and stay authorized, we need a better way to measure those things, informed by what our customers are actually experiencing. Our metrics should capture the customer experience, including cost and time, as well as security and other core aspects of the program’s mission.
Soon, we plan to release a set of potential metrics for public comment to gather feedback from our stakeholders. We also recognize that accurately capturing information on external factors is challenging, and we’ll be asking for input from the community on the best approach to doing so.
This is our first of what we expect will be regular updates on the progress we’re making on the initiatives we laid out in our public roadmap. As always, we want your feedback and engagement – please email info@fedramp.gov if you have any questions.
