Take a moment to think about all the sensitive information the United States federal government has access to: tax returns, Social Security numbers, medical information. Handling this trove of data makes cybersecurity perhaps more important for the federal government than any other entity. Recognizing this, the federal government has created programs like CMMC and FedRAMP.
For over a decade, the Federal Risk and Authorization Management Program (FedRAMP) has been providing a standardized approach for authorizing the use of cloud services in federal procurement. However, over time, flaws have come to light, which have resulted in costly and lengthy delays for Cloud Service Providers (CSPs). Due to these shortcomings, the General Services Administration (GSA) recently announced plans to streamline the process through a new initiative called FedRAMP 20x. This new initiative is designed to automate the majority of the process and shift the focus from agency sponsorship to private sector processes.
FedRAMP started up in 2011 with the mission of standardizing security assessment, authorization, and continuous monitoring for cloud solutions through a government-wide program. This would allow federal agencies to know that they are purchasing a modern, secure cloud solution.
FedRAMP was designed in partnership by GSA, National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DoD), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council, National Security Agency (NSA), and the private sector.
The goal was to create a win for both the government agency and the taxpayer, by creating a standardized governmentwide approach that would expedite approval, save taxpayer money and modernize federal IT systems. If you’ve accessed government systems recently, however, you may find that this is still more aspiration than reality. Government solutions are still frequently outdated. This is in part due to the current lengthy and largely manual FedRAMP authorization process.
CSPs are currently required to submit a large amount of data and documentation through a manual review process. Noting this cumbersome process is hindering FedRAMP’s goal of providing the most modern and secure cloud services, FedRAMP 20x plans to automate authorization as much as possible, with a goal of more than 80% of requirements being automated.
This new initiative for FedRAMP is in the planning stages, so details are still scarce. We know that the goal is to implement a cloud-native continuous security assessment with automated monitoring and incorporating commercial security best practices. Here are a few goals and highlights planned for FedRAMP 20x:
Overall, this should reduce duplication of efforts, which was a primary driver of FedRAMP’s establishment in the first place, and center private sector practices, saving CSPs time, money, and effort. An important caveat to the above is that FedRAMP High Impact authorization will stay under a manual process for the time being, but those are also planned to transition to an automated process in the future.
FedRAMP is planning to allow Software-as-a-Service (SaaS) offerings that meet these requirements to transition to FedRAMP 20x as part of phase one:
However, these requirements are not finalized and may change.
While you may be excited by these upcoming changes, it is important to note that, for the time being, the only available option for FedRAMP authorization is still FedRAMP Rev. 5 baselines. If you have already started on the path to authorization, you will likely want to see it through, as the timeline for implementation of FedRAMP 20x is unclear. Be aware, however, that FedRAMP will no longer provide updated technical assistance or guidance for implanting Rev. 5 baselines. In addition, FedRAMP itself will no longer complete “triple check” reviews of FedRAMP Rev. 5 packages. Agencies instead will review the package and complete the risk assessment on their own.
If you would like to play a part in guiding the drafting of FedRAMP 20x, there are four Community Working Groups that have been launched which host recurring townhalls in which industry can contribute. In addition, a formal public comment period will be held before FedRAMP 20x is rolled out.
As seen in FedRAMP 20x, federal procurement is changing rapidly, as agencies are leaning more into methods of automation and deploying AI in an effort to increase efficiency. If successful, the frequently maligned red tape of government procurement could be substantially curtailed. If you would like to discuss how to best set your firm up for success in the new federal contracting landscape, reach out to Winvale and we would be happy to help you on the path to success in federal procurement.