Cloud Service Providers will be able to obtain approval for use by US government agencies drastically quicker through a revamped, heavily automated process claims the agency responsible for FedRAMP, with clearing backlogs its primary focus.
The US General Services Administration (GSA) said a new cloud-native approach will reduce paperwork, simplify security requirements, and use automation for the majority of processes to deliver Authorities to Operate (ATO) in weeks instead of months. Some third parties have claimed the agency avoided questions about immediate support.
“Our partnership with the commercial cloud industry needs serious improvement. Strengthening this relationship will help us fulfil our commitment to cutting waste and adopting the best available technologies,” said Stephen Ehikian, the GSA’s Acting Administrator.
The Federal Risk and Authorisation Management Program (FedRAMP) was introduced in 2011 to speed up cloud procurement while maintaining security protections.
Since then though it has faced repeated criticism of its slow-moving process, with some agencies choosing to skip the process altogether and use non-authorised services.
Building on an overhaul roadmap published last year, the new FedRAMP 20x framework will focus on automation to allow continuous reapproval of security changes to cloud systems, according to the Program Management Office (PMO).
A smaller FedRAMP PMO team will now be primarily focused on clearing the authorisation backlog and providing support to “enable private innovation” as it stops “nearly all other previously discussed work”.
The new FedRAMP will automatically validate 80% of requirements without needing providers to explain how their controls work, compared to the 100% of controls that currently need explaining. It will also “clear the way” for new paths to approval by allowing more direct communication between CSPs and government agencies, over established business channels of course.
See also: Trump centralizes procurement under General Services Administration
According to the GSA the new changes have already seen “excitement” from CSPs, but Chris Finan, CEO of FedRAMP compliance solutions provider Anitian, told The Stack it’s what happens after the backlog is cleared that matters.
He said: “Can whoever's left in the program office continue with the basic blocking and tackling needed to support the agencies through their ATO process? I'll be watching to see whether agency AOs have the clarity they need to continue program implementation at meaningful scale.”
Finan also said that while he supported the GSA’s commitment to hold public working groups to gather industry feedback, he was more interested to hear about what was being done to support CSPs awaiting feedback today.
Questions about this “were hand-waved” by the GSA after its announcement he told The Stack, and said “I would have liked to hear more about their planned support model for this new federated system they've been forced to adopt overnight.”
