Frank Konkel | Nextgov | March 29, 2016 | 0 Comments

A Revamped FedRAMP Revealed

Flick user Chris Potter

The Federal Risk and Authorization Management Program announced Monday how it plans to speed up authorizations without risking security, publicly introducing a FedRAMP readiness capabilities assessment.

The goal of the revamped process is essentially to allow vendors to demonstrate the capabilities of their cloud solutions early on in the FedRAMP process rather than the current scenario in which thousands of pages of cloud security documentation precede any demonstration of capabilities.

According to FedRAMP Director Matt Goodrich, who spoke Monday at a FedRAMP event at the General Services Administration's headquarters, the old approach has proven time consuming, and as time has gone by, more duplicative and less effective as more cloud service providers attempted to have their offerings meet FedRAMP’s requirements.

In this revised FedRAMP, third-party assessment organizations will play a more prominent role in cloud-security vetting, performing onsite assessments of a cloud service provider's system, the results of which will be documented in a FedRAMP readiness assessment report.  

“The goal of this is to allow vendors to demonstrate their capabilities faster through an assessment by a 3PAO than through documentation reviews by the FedRAMP PMO," according to draft language posted Monday for the FedRAMP Readiness Assessment Report Template and an accompanying document, the FedRAMP Readiness Assessment Guidance for CSPs and 3PAOs. "This will in turn enable CSPs and agencies to achieve FedRAMP authorizations faster without negatively impacting risk and quality of security packages."

The public will have through April 29 to comment on the new language.

Goodrich said the new process should significantly reduce the cost and time it takes for cloud service providers to go through the FedRAMP pipeline. In recent months, the FedRAMP PMO came under criticism as authorization times jumped to more than 12 months.

Under the new scenario, a cloud service provider could earn “FedRAMP-ready” status in weeks, allowing it to market its solutions to agencies while concurrently going through still-mandatory documentation reviews.

On Monday, Goodrich also announced FedRAMP will cease the “CSP supplied” route to meeting the program’s requirements. This road map, Goodrich said, was the least successful blueprint for agencies to actually meet FedRAMP standards. In the supplied route, cloud service providers would have thousands of pages of documentation drawn up and assessed by a third-party assessment organization and submitted to the FedRAMP office.


Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.