Frank Konkel | Nextgov | March 29, 2016 | 0 Comments

A Revamped FedRAMP Revealed

Flick user Chris Potter

The Federal Risk and Authorization Management Program announced Monday how it plans to speed up authorizations without risking security, publicly introducing a FedRAMP readiness capabilities assessment.

The goal of the revamped process is essentially to allow vendors to demonstrate the capabilities of their cloud solutions early on in the FedRAMP process rather than the current scenario in which thousands of pages of cloud security documentation precede any demonstration of capabilities.

According to FedRAMP Director Matt Goodrich, who spoke Monday at a FedRAMP event at the General Services Administration's headquarters, the old approach has proven time consuming, and as time has gone by, more duplicative and less effective as more cloud service providers attempted to have their offerings meet FedRAMP’s requirements.

In this revised FedRAMP, third-party assessment organizations will play a more prominent role in cloud-security vetting, performing onsite assessments of a cloud service provider's system, the results of which will be documented in a FedRAMP readiness assessment report.  

“The goal of this is to allow vendors to demonstrate their capabilities faster through an assessment by a 3PAO than through documentation reviews by the FedRAMP PMO," according to draft language posted Monday for the FedRAMP Readiness Assessment Report Template and an accompanying document, the FedRAMP Readiness Assessment Guidance for CSPs and 3PAOs. "This will in turn enable CSPs and agencies to achieve FedRAMP authorizations faster without negatively impacting risk and quality of security packages."

The public will have through April 29 to comment on the new language.

Goodrich said the new process should significantly reduce the cost and time it takes for cloud service providers to go through the FedRAMP pipeline. In recent months, the FedRAMP PMO came under criticism as authorization times jumped to more than 12 months.

Under the new scenario, a cloud service provider could earn “FedRAMP-ready” status in weeks, allowing it to market its solutions to agencies while concurrently going through still-mandatory documentation reviews.

On Monday, Goodrich also announced FedRAMP will cease the “CSP supplied” route to meeting the program’s requirements. This road map, Goodrich said, was the least successful blueprint for agencies to actually meet FedRAMP standards. In the supplied route, cloud service providers would have thousands of pages of documentation drawn up and assessed by a third-party assessment organization and submitted to the FedRAMP office.


Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.