FedRAMP®

FedRAMP® Modernization Initiatives

Keith kidd

Keith Kidd

Principal, FedRAMP Advisory Services

July 25, 2024

The Federal Risk Authorization Management Program (FedRAMP®) has initiated new programs and made created the FedRAMP Automation Website in support of strategic goals outlined in the FedRAMP Roadmap 2024-2025, released by FedRAMP in March 2024. We will highlight three recent developments the FedRAMP released to support the strategic goals outlined in the roadmap. These are the Emerging Technology and Prioritization Framework, the Agile Delivery Pilot, and the FedRAMP Automation Website.

Emerging Technology Prioritization

In response to the Executive Order (EO)14110, FedRAMP published the final Emerging Technology (ET) Framework on June 27, 2024. The framework outlines the emerging technologies being prioritized for authorization. The first priority selected is generative artificial intelligence (AI). This includes chat interfaces, code-generation and debugging tools, prompt-based image generators, as well as associated application programming interfaces (APIs) that provide these functions.

Prioritization of a cloud service offering (CSO) with generative AI capabilities does not require an existing FedRAMP ATO. The CSO must show demand for the service to qualify and be selected. The types of demand are: 

  1. Current – Existing unique federal agencies customers or agencies willing to partner
  2. Indirect – Indirect customers (other CSPs with an ATO)
  3. Potential – Projected adoption within 12 months of ATO (current use of the on-premises or commercial version of the solution)

FedRAMP initial plans to open two application windows per year, with dates being announced on the FedRAMP blog. Applications can be submitted using the Emerging Technology (ET) Cloud Service Offering (CSO) Request Form.

Agile Delivery Pilot

The new pilot program is open to existing CSPs (with ATOs) with a focus on improving the process and speed to implement significant changes associated with a feature change that does not change the underlying CSO infrastructure. This will deviate from the current process requiring advanced approval for all significant change requests (SCRs).

The Agile Delivery Pilot is a step towards taking FedRAMP from point-in-time assessments to one based on a continuous assessment process. The pilot is targeted at current FedRAMP CSPs with a mature automated configuration management and change management processes. The prerequisites for the pilot are having a planned feature release before December 31, 2024, that the sponsoring agency plans to use. The feature must be opt-in, meaning it does not impact the core functionality of the CSO.

Pilot Timelines
  1. The pilot application deadline was set for July 26, 2024
  2. Selections for the pilot will be made by August 16, 2024
  3. The pilot will run from September 15 thru December 31, 2024

Visit the FedRAMP Pilot Program page for more information on the active and pilot programs.

FedRAMP Automation Website

FedRAMP launched automate.fedramp.gov on July 11th to provide the technical resources that developers need to help modernize the security assessment, authorization, and continuous monitoring processes required of cloud services for federal government use. A core function of these resources is providing developers the necessary information to develop tools to use and improve upon the Open Security Controls Assessment Language (OSCAL). FedRAMP OSCAL improves speed, accuracy, and automation for the FedRAMP process. FedRAMP sees OSCAL as a tool to speed up reviews, and ultimately, the authorization process. 

For a broader look at how FedRAMP is working to improve the program by balancing speed and security, check out FedRAMP Improvements: Balancing Speed and Security by Coalfire Principal, Christine Biggs.