Exploring new ways to scale FedRAMP

December 20 | 2024

For years now, federal agencies, companies, Congress, and a series of administrations have made clear they value what FedRAMP does and want to see the program scale and the marketplace grow well beyond what it is today. We share this goal, especially as there is growth in the demand for FedRAMP from agencies and cloud providers alike. For example, 2022 was an inflection point, where the number of new cloud services entering into our pipeline increased by 66%, and has stayed at that level since then. Our authorization capacity, on the other hand, did not grow to meet it and has remained at around the same levels before and after 2022. Put simply, demand has increased. Over the past year, GSA laid the foundation to meet that increased demand. We published a roadmap in March to organize our work with scale in mind. The roadmap informed our investments in a new technology team, a developer hub, a data platform, as well as pilot and public proposal initiatives like agile change requests, machine-readable packages, cryptographic module guidance and program metrics, among other things.

This work is starting to address some of the long-term root challenges in FedRAMP, while making it clear what our capacity constraints are as a program, particularly with a still-modest team. We also know our stakeholders are eager to see our efforts translate more quickly into increased program capacity, including a new pathway to authorization led directly by FedRAMP, and a quicker and more straightforward review experience.

For the process to change in some of the fundamental ways that agency and cloud customers want it to, we believe it’s worth exploring creating a new funding source. As part of that we want to open the conversation around potentially charging cloud providers as part of going through the FedRAMP process.

With a thoughtful and customer-sensitive approach, we believe that having a funding source that can grow at the same time as demand grows will let us move more authorizations through the system and oversee cloud providers in a more flexible way – which could ultimately save companies money and time overall.

This is the early stage of discovery and a decision to charge cloud providers has not been made. Any final plan will be informed by your input and involve direct consultation with cloud providers – particularly smaller businesses to whom we do not want to make it harder to enter the federal market – as well as a hefty amount of internal government coordination. We’re opening this dialogue because we believe increased funding to support scale may be necessary for FedRAMP in order for it to work the way that everyone – including us – wants it to.

What new funding could enable

We have a few ideas on what a demand-responsive funding source could let us change about how FedRAMP works. These are generally centered around more capacity to conduct ongoing oversight (“continuous monitoring”) before and after authorization. Ideas include:

Continuous monitoring before authorization. We’ve been exploring allowing the continuous monitoring process to begin before a cloud provider becomes authorized. This would allow cloud services to continue making changes and growing their product in a way that FedRAMP can see and adapt to, giving a provider less reason to “freeze” its service (or create a frozen government-focused copy) during the FedRAMP review process. When combined with the non-blocking “significant change request” process we’re building out of our agile delivery pilot (part of our drive towards a more secure continuous assessment model), this has potential to make the FedRAMP process much smoother for companies, and make it easier for a cloud service provider to decide to get started with FedRAMP.
More pilots with quicker expansion. We could more confidently grow the pace and size of relevant pilots that hold the most promise at changing the experience of going through FedRAMP, like our agile delivery and digital authorization pilots. For example, it could make it easier for us to allow incoming cloud services to opt-in to a relevant pilot workflow at the start of the process rather than the more curated selection process we currently need to use.
More centralized security oversight. It’s been clear to us for a while, as well as to groups like the Cybersecurity Review Board who have made recommendations along these lines, that FedRAMP could do more to centrally oversee the ongoing security of cloud services in the Marketplace, even when those services were originally sponsored by individual agencies. That’s why centralized continuous monitoring is a part of our roadmap and doing this work right means more people and time, and the work gets bigger as the marketplace grows.
More people doing reviews. Most simply, we could easily scale the number of human reviewers who work with cloud providers through the FedRAMP authorization and continuous monitoring processes. While we now have a bustling automation team that is working to have computers do the parts of the process that computers can, human judgment and analysis will always remain a part of a security review process. This work increases with more cloud providers in the market, and there are clear bottlenecks here today.

We want your thoughts

Before we go further down this road, we want your feedback on how an approach to charging cloud providers could be implemented in a way that is fair to cloud providers overall, and is appropriate for smaller businesses.

We’d particularly like your thoughts on:

As a cloud service provider, what do you think FedRAMP should keep in mind if creating a cost model?
Are there particular parts of FedRAMP’s authorization and continuous monitoring processes you think should receive the most direct investment?
Are there other significant process changes or options (such as the pre-authorization monitoring example described above) that FedRAMP could consider making with dynamic funding?
Are there other security/compliance programs that charge money, in the US or internationally, that would be good models for FedRAMP to consider?
How might FedRAMP design a cost model that is right for smaller businesses?
- How might FedRAMP distinguish between smaller and larger businesses in the context of the commercial cloud sector?
- How might FedRAMP distinguish between smaller and larger businesses in the context of federal buying, where resellers and prime/subcontractor structures can complicate procurement?