Skip to main content

Blog

FedRAMP, Looking Back on 2024, Ahead to 2025

December 19 | 2024

FedRAMP, Looking Back on 2024, Ahead to 2025

2024 has been a full year for FedRAMP, with changes large and small to the program and its team. While some of this work came with visible announcements, much was done behind the scenes. As 2024 comes to a close, we want to take a look back at how FedRAMP has changed and point to a little of what we see coming in 2025.

Our strategy for 2024 centered on tackling some of the root causes that have held FedRAMP back from being able to make the bigger changes needed to reduce the time and cost of the process and center FedRAMP around risk management. We focused primarily on rebuilding the FedRAMP team with tech expertise at the center, proposing new policies and pilots focused on agility and risk management, and establishing a new FedRAMP Board designed to support rapid iteration and clear decision-making.

Rebuilding FedRAMP as a technology team

By the end of 2024, FedRAMP will have dramatically expanded its technical capacity.

This includes FedRAMP’s first ever engineering team, a big new investment of people and resources in our automation and data work. This team is focused on using software engineering, data science, and AI to streamline and automate how FedRAMP works and better understand the vast amount of semi-structured data FedRAMP routinely collects. This team is also building tools using OSCAL, a standard for machine-readable security information, that will help our customers submit digital authorization packages that have all the information that FedRAMP needs. This work is being done out in public, with our engineering team working with a revitalized open source community and developer hub where we’re building the tools and APIs to integrate with FedRAMP in partnership with companies and agencies.

We worked with the Office of Management and Budget to create a new FedRAMP Technical Advisory Group made up of technical experts with diverse skills from across the government. The Technical Advisory Group has proved to be invaluable in shaping our work priorities and providing an independent gut check on the changes we propose so we can fix them before they go public.

This focus on tech experience extends to FedRAMP’s leadership as well - the program’s Director and its division chiefs all have years of practitioner experience with software and the cloud. In 2025, we expect to welcome our new Security Director and other new members of the authorization team they’ll lead. The investments we’ve made in technology capacity will allow us to start retooling the FedRAMP authorization process itself to reap the benefits of automation and to focus more clearly on risk management and security outcomes.

All together, these changes put FedRAMP in a much better position to deploy the APIs that customers are looking for, to design smarter policies and processes, and to make tricky risk management decisions with higher confidence.

Baking agility and risk management into FedRAMP

Speed can be a security property. With that in mind, a big theme for FedRAMP in 2024 has been to look for places to improve speed and security at the same time.

We launched our agile delivery pilot, intended to remove some of the change-control-board-like approval steps involved when authorized cloud providers make changes to their services and to make the review process simpler and more predictable. That pilot launched with six cloud services and is focused primarily on changes that don’t fundamentally alter the privacy or security state of a system. Next year we expect to take what worked well about this pilot and build on it, and to identify how to further expand the scope of what can run through a shift-left process like this.

We also began piloting digital authorization packages, a foundational step in making the package submission and review process into something that is capable of being automated and can cut down on re-reviews and unnecessary churn (among the many other security and data benefits that moving away from multi-hundred-page documents will ultimately bring to FedRAMP). The OSCAL-based specs for this work are being developed in the open, and next year we expect to have a technical platform in production that can begin to deliver on the benefits of this investment.

FedRAMP published a long-requested draft policy for cryptographic modules and how the requirements of FIPS 140 should apply in the FedRAMP context. Some of the biggest issues that cause delays and re-reviews during authorization and continuous monitoring are a lack of clarity around when and where cryptographic requirements apply and what a cloud provider should do when there’s a security issue in a cryptographic module. Our goal with this policy is to untangle what can feel to many cloud providers like conflicting security requirements, particularly when there’s a known security vulnerability that needs urgent patching. We received terrific public engagement during the comment period and we’ll continue to consult with the National Institute of Standards and Technology and work with the FedRAMP Board to finalize this policy early in 2025.

We still need to grow and iterate on this work, and there are plenty of other updates in this vein coming (such as our upcoming boundary guidance), but each of these initiatives represents a real directional shift for FedRAMP and took a lot of work in 2024 to get moving. We’re excited to keep building on all of this next year with more capacity and a clearer vision based on what we learned in 2024.

A new way of working with FedRAMP’s Board

The FedRAMP Board, established by the FedRAMP Authorization Act, started operation this year with members appointed by the Federal Chief Information Officer at OMB. The Federal CIO and the FedRAMP Director act as non-voting Chair and Vice Chair, respectively.

At seven people, it’s a bigger Board than the former Joint Authorization Board – it includes the agencies who were on the JAB but can now represent a broader swathe of the federal community, including smaller agencies. Despite being larger, the FedRAMP Board meets more frequently (about once a month since starting) and works more directly with FedRAMP’s leadership to solve problems. Working directly with the Board has enabled us to make decisions more confidently and quickly about policy changes and some of the trickier authorization decisions we have to make. Beyond that, it has deepened our partnership on joint initiatives with Board members and their teams, who are just as excited to retool FedRAMP as we are.

We see the creation of the new FedRAMP Board as a foundationally positive development that is enabling FedRAMP to centrally execute against a strategy and iterate more rapidly on improvements to the program. And we’re grateful for the time and energy that the executives on the FedRAMP Board, who all have other demanding jobs, are personally devoting to FedRAMP through this period.

Throughout all this, we worked with the former JAB teams and dozens of cloud providers to transition away from the JAB as an authorization body. That work has primarily meant ensuring that cloud providers that were authorized or prioritized by the JAB have a clear sponsor or authorization pathway (we recently put up a page detailing the state of the JAB transition that will continue to be updated as things change). While it will still be a while before FedRAMP can open this path market-wide, we have been working to iterate on that process and issued our first program authorization this year to a cloud provider that had been prioritized by the JAB, to smooth the JAB transition.

We also continued our engagement with the Federal Secure Cloud Advisory Committee (FSCAC), the advisory committee established by the FedRAMP Authorization Act that remains a valuable conduit to our partners in industry. Between the Board, the FSCAC, and the Technical Advisory Group, FedRAMP has a solid set of governing and advisory partners.

These changes to FedRAMP’s governance mean that in 2025, FedRAMP is well positioned to build out that program authorization process, to advance our integration and reciprocity with key Board members like the Department of Defense, and to finalize more changes to FedRAMP that our customers have engaged us on. This includes not just policies like our cryptographic module guidance, but also the proposed program metrics that we got your comments on earlier this year, a roadmap priority that is critical to better managing FedRAMP over time.

Looking forward to 2025

We’re well aware that even after all this, FedRAMP can still be a challenging process for our customers; our work in 2024 helped us better understand these pain points by revisiting past assumptions and bringing us closer to the customer experience.

But just as crucially, it has given us the experience, skills, tools, and partnerships to fix these pain points – and more runway to execute than the program has ever had before. We’re entering 2025 ready to keep listening to what customers are telling us and to use what we gained in 2024 to keep making things better. You will see repeated iterative shifts that will add up over time to change FedRAMP’s approach from a broad application of compliance-based review at a single point in time to a more nuanced technical security and risk-based review process that continues after authorization.

Back to Blogs

GSA logo

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov