GSA releases two-year roadmap for fine-tuning FedRAMP

The Federal Risk Authorization Management Program has rolled out a set of steps aimed at improving its authorization process and governmentwide adoption of its practices.


The Federal Risk Authorization Management Program (FedRAMP) has rolled out a set of steps aimed at improving its authorization process and governmentwide adoption of its practices.

In a guide released Wednesday titled ”
FedRAMP Forward,” the people behind the program highlighted early successes and laid out a two-year plan that will continue to refine the process for everyone involved: agencies, cloud service providers (CSPs) and the independent third parties (3PAOs) that approve cloud services for use.

The report focuses on three key tenets that FedRAMP will hone in on over the next two years: improving engagement across government, speeding up the CSP approval process and further adapting to an evolving cybersecurity landscape.


With more than 50 cloud service providers, 31 third-party assessment organizations and nearly every federal agency now part of the FedRAMP process, the goal is to enhance the program so it continues to stay successful.

Over the next six months, the General Services Administration — which oversees FedRAMP — will aim to publish a draft of a newer baseline that will include a standard for data with high sensitivity, release automation requirements that will optimize FedRAMP documentation and release a new website that will help increase understanding of the FedRAMP process.

Within the next year or two, GSA will draft a number of frameworks and methodologies that will increase cross-agency collaboration and use of continuous monitoring, as well as hold an industry day to help refine an automation process when it comes to documentation from cloud service providers.

While GSA wants to streamline the FedRAMP process, it also is putting additional efforts into refining the program’s security aspects, with future security frameworks having assessment overlays with other federal cybersecurity programs like Homeland Security Presidential Directive-12 (HSPD-12), Trusted Internet Connection and Continuous Diagnostics and Mitigation.

GSA said FedRAMP will also continue to work with other agencies to update continuous monitoring requirements, adapting to changes from the National Institute of Standards and Technology, Department of Homeland Security or additional requirements put into the Federal Information Security Management Act (FISMA).


“Adapting to meet the evolving cloud offerings and introduction of new services, the levels of data the government is placing in cloud environments, and placing a higher focus on overall risk management instead of compliance will keep FedRAMP ahead of the curve and ensure all stakeholder needs are being met,” a portion of the guide reads.

FedRAMP Director Matt Goodrich outlined this two-year roadmap during NIST’s Information Security and Privacy Advisory Board
open meeting earlier this year after the telling the board the FedRAMP team was operating “over capacity.” Only 25 to 40 percent of cloud service providers were FedRAMP compliant as of October, while all federal agencies were supposed to have FedRAMP-compliant cloud by June 5.

“As with any new IT initiative, no one is going to be 100 percent compliant the second there is a mandatory date,” Goodrich said at the meeting. “There is not enough funding to meet every single IT policy that is out there for agencies to meet.”

GSA said as of December, 27 CSPs are FedRAMP compliant with more than 160 FISMA implementations covered by these authorizations. Thirty-one 3PAOs are accredited, and the program has, as a conservative estimate, saved the federal government $40 million.

Read the entire FedRAMP Forward plan

Latest Podcasts