FedRAMP to announce major overhaul next week

BlackJack3D/Getty Images

Featured eBooks
Identity in Government
Read Now

Health Tech

Read Now

Next-Generation Computing

Read Now
Insights & Reports
The Essential Guide to Security Information and Event Management (SIEM)
Presented By Splunk | Carahsoft
Download Now
Automatic and intelligent observability for the Department of Justice on-premise, data centers, and cloud
Presented By Carahsoft
Download Now
David DiMolfetta By David DiMolfetta,
Cybersecurity Reporter, Nextgov/FCW

By David DiMolfetta

|

The initiative would seek to automate much of the cloud security program’s approval workflow and shift more control to the private sector.

A cornerstone federal program that certifies the security architecture of private sector cloud services for government use is expected to announce a fundamental overhaul to its processes on Monday, according to multiple people familiar with the matter.

The moves, in the long term, are expected to automate many of the certification process steps for the Federal Risk and Authorization Management Program, or FedRAMP, which is used to ensure cloud providers meet strict cybersecurity requirements before government agencies can use their services, according to the people, who were granted anonymity to be candid about the forthcoming changes.

FedRAMP has been a mainstay in government procurement for the last decade but has faced repeated complaints about the slow pace of cloud service approvals. FedRAMP has different approval levels that vary based on the sensitivity of the data a cloud service can handle, with higher levels requiring stricter security controls and generally longer review processes.

The new “FedRAMP 2025” model, as it is known to one person familiar with the changes, aims to transition the program’s approval processes from manual compliance checklists to real-time, automated security validations, said the person, who added that much of the approval work could fall on the private sector to oversee. Representatives from two large tech companies that do business with the government also echoed that potential dynamic for private sector-led approvals.

A document that’s been circulating in the contracting community for around the past week has outlined the expected plan to reformat the cloud certification program and notes that FedRAMP outreach to the private sector is expected to begin later this month or early next month, one of the people said.

FedRAMP Director Pete Waterman is scheduled to speak at an Alliance for Digital Innovation event on Monday. The General Services Administration, which oversees FedRAMP, did not immediately respond to a request for comment.

Over 380 cloud solutions have been authorized for use in various levels throughout the government, according to the FedRAMP marketplace. Private firms that wish to sell cloud services to federal agencies must obtain FedRAMP authorizations for those services at the Low, Moderate and High risk impact levels. 

NEXT STORY: IRS is evaluating its tech investments and modernization