Skip to main content

Blog

FedRAMP Metrics for Public Comment

July 30 | 2024

FedRAMP Metrics for Public Comment

By Ryan Hoesing

Update: To ensure that we hear from as many voices and gather as much input as possible, we are extending the deadline for comments. Please review the proposed metrics and submit your comments via Smartsheets by Thursday, September 5, 2024, 11:59 PM EDT.

FedRAMP Announces Key Performance Metrics for Public Comment

As we outlined in our FedRAMP roadmap, we’re committed to continuously improving FedRAMP to better serve our stakeholders.

Today, we are asking for public feedback on a proposed set of metrics that would measure the end-to-end FedRAMP authorization experience and align with our mission of being a security-first program. We will use the feedback we get on these metrics to focus and refine this list to a set of measures that will keep FedRAMP focused on security and customer experience.

For years, people in industry and government have asked FedRAMP reasonable questions, such as:

  • How long does a FedRAMP authorization take?
  • How expensive is a FedRAMP authorization?
  • How much does it cost an agency to partner with a cloud provider for a FedRAMP authorization?
  • What are the biggest “show-stoppers” that stop cloud providers from achieving a FedRAMP authorization?
  • How quickly can an agency reuse an already authorized product?

To help us answer these questions, our proposed metrics are broken out across two areas:

  • An end-to-end customer experience: This will start the moment an organization decides they would like to pursue a FedRAMP authorization, continuing through the authorization phase itself, and then ongoing continuous monitoring that is required to maintain an authorization.
  • A security-first program: FedRAMP provides a trusted marketplace to our stakeholders by integrating security into our metrics we aim to build upon that trust and create efficiencies. We want to measure how well authorized CSOs are meeting our security standards, and identify any gaps at an aggregate level. Understanding common security gaps can help us avoid unnecessary back-and-forth during the authorization process. By gathering metrics on these recurring issues, we can better focus our guidance and training efforts.

The metrics are designed to capture the experiences of different customers and partners, as well as FedRAMP’s performance.

How to help us

We encourage all stakeholders, including CSPs, federal agencies, 3PAOs, and the general public to provide feedback on these proposed metrics. As you review these metrics, please help us make our metrics comprehensive, accurate, and something that speaks to your needs.

These metrics are not exhaustive and FedRAMP plans to revisit metrics each year to ensure we are updating our metric with the changing landscape of the program. Future metrics will also be further informed by the FedRAMP Government Risk and Compliance (GRC) platform buildout.

Questions to consider when reviewing the metrics

We understand that capturing some of these newly proposed metrics will be challenging and rely on imperfect data provided by external stakeholders. We have included considerations and potential challenges where we could, but are very interested in hearing public feedback in areas we may have overlooked. As you review the proposed list of metrics, please keep in mind some of the questions below and please provide your feedback!

  1. In your opinion, what are the most important metrics for assessing the efficiency and effectiveness of the FedRAMP process and how can FedRAMP ensure we are getting an accurate representation of this data when collected?
  2. What role could FedRAMP play in helping define success regarding timeliness and cost effectiveness of the authorization process where FedRAMP is not involved in every phase of the authorization process?
  3. What types of information would help to manage your expectations and improve your experience during the FedRAMP authorization process?
  4. Do you use specific performance metrics within your organization to monitor progress that you feel would be a good standard to share with other FedRAMP stakeholders?
  5. How confident are you in the quality and completeness of the data you will provide for these metrics? What measures do you think could improve the accuracy and reliability of the data?

Please review the proposed metrics and submit your comments by Thursday, August 29, 2024, 11:59 PM EDT.

To read comments that have already been submitted, click the read-only version.

Back to Blogs