Officials with the General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) said on June 11 that they envision rapid progress through the rest of this year on several pilots that are aiming to harness automation to speed FedRAMP’s ability to approve cloud-based service offerings for government agency use.
Since the program’s 20x revamp effort was launched in March, how to automate FedRAMP’s traditionally laborious and human-intensive processes has been the major theme of four new working groups that are open to industry, and have since been pared down to two working groups.
As detailed by the program in April, the 20X effort has launched a Phase One pilot that is seeking to test “how cloud service providers can meet FedRAMP Low authorization requirements using a combination of automated technical validation, existing commercial certification, and simple documentation requirements to generate machine-readable packages that can be assessed by trusted third parties.”
Central to the Phase One pilot – and coming pilots for higher-level FedRAMP authorizations – are the use of key security indicators (KSI) that can be employed to help the program more rapidly evaluate the security of cloud services. The use of KSIs in the 20X revamp effort represents a new approach to assessing cloud service providers for FedRAMP authorization by using a more automated, machine-readable validation process.
The program called for comment earlier this year on KSIs to be used for its ongoing Phase One pilot for FedRAMP “low” authorization requirements, and KSIs are expected to be expanded for a coming pilot for FedRAMP “moderate’ authorizations.”
During a public meeting of its 20X working group on June 11, program officials charted out a busy schedule over the next several months to move the 20x revamp effort along.
First, program officials said they are getting close to the finalized release of the KSI standard being used for Phase One pilots. Program Manager Pete Waterman clarified that the KSIs are being used for the Phase One pilots but have not yet been finalized.
“Before we finalize those for wide release and permanent FedRAMP authorization, there will be another round of editing, tweaking, tuning, based on what we learned in the pilot,” he said. “Those will go through a formal approval process and will get released at that time.”
Another program staff member said the program has received two formal submissions for authorization under the Phase One pilot, along with nine draft submissions, and that the program expects things to move quickly from there.
“Our goal is to start issuing 20x authorizations later this month, but we’re also still accepting and reviewing draft submissions, so this is our most flexible phase,” the staffer said, adding, “Feel free to be creative in your approach and make your submissions public so everyone can learn and collaborate together.”
Talking about the submissions received thus far, another staff member said, “From what I’ve seen so far, there seems to be sort of a mix of CSPs [cloud service providers] who really want to engage with the pilot program and offer solutions. Then there are others who are sort of looking for more guidance from us.”
Responding to a question on the program’s intention to proceed to moderate and high authorizations through the 20x pipeline, Waterman replied, “That’s exactly correct. We will go moderate, then high.”
While the program manager said that “timelines are flexible,” he also stated, “Based on delivery right now, we’re expecting the low pilot to go through probably August to September.”
“Then low will become a formal path that has been released for everyone, and it will start the moderate pilot almost directly after that,” he said.
“We expect the moderate pilot likely to be done by December, then open for submissions, and then after that, we go to high,” Waterman said.
“Stay tuned to our website at fedramp.gov/20x,” he advised, adding, “We’re walking through all of that as we build it. This is not a situation where we are trying to work to a timeline. We are working to delivery and execution of a high-quality product.”
“The speed and the pace at which we deliver will depend on how much participation we have, how effective things are, how much we can keep up with demand, et cetera,” he said. “So, stay tuned, watch out.”
“There’s a big reason why we said people that participate in the low will be prioritized for the moderate, because by the time they come back for moderate, we’ve already seen what they’re doing, we know how they’re taking the approach, it makes sense, it’ll be a lot easier for us to review it,” he continued.
“I’ll just add, during the low, we’re going to see a lot of generation and creation of tooling and processes to do this,” Waterman said. “People are learning how to do it and building the products. By the time we get to moderate you’re going to have infrastructure as a service providers that are providing some of this capability.”