If you've ever thought that the FedRAMP (Federal Risk and Authorization Management Program) authorization process is challenging and laborious, things may be getting better. The General Services Administration’s (GSA) has publicly committed to improving the authorization process by publishing a public roadmap to modernize FedRAMP.
The purpose of FedRAMP is to act as a central intermediary between federal agencies and cloud service providers (CSP) in order to make it easier for agencies to purchase software services and for CSPs to sell software services to agencies. By being the middleman, FedRAMP creates a single marketplace that reduces the amount of time it takes for an agency to select and purchase a product. From the CSP perspective, FedRAMP becomes a single standard that they can target for compliance and after achieving authorization they get access to 200+ agencies that they can sell to—a win-win.
Unfortunately, that promised land wasn't the typical experience for either side of the exchange. Since FedRAMP's inception in 2011, the demand for cloud services has increased significantly. Cloud was still in its infancy at the birth of FedRAMP and the majority of federal agencies still procured software with perpetual licenses rather than as a cloud service (e.g., SaaS). In the following 10+ years that have passed, that preference has inverted and now the predominant delivery model is infrastructure/platform/software-as-a-service.
This has led to an environment where new cloud services are popping up every year but federal agencies don't have access to them via the streamlined FedRAMP marketplace. On the other side of the coin, CSPs want access to the market of federal agencies that are only able to procure software via FedRAMP but the process of becoming FedRAMP certified is a complex and laborious process that reduces the opportunity cost of access to this market.
Luckily, the GSA isn't resting on its laurels. Due to feedback from all stakeholders they are prioritizing a revamp of the FedRAMP authorization process to take into account the shifting preferences in the market. To help you get a sense of what is happening, how quickly you can expect changes and the benefits of the initiative, we have compiled a comprehensive FAQ.
Frequently Asked Questions (FAQ)
How soon will the benefits of FedRAMP modernization be realized?
Optimistically changes will be rolling out over the next 18 months and be completed by the end of 2025. See the full rollout schedule on the public roadmap.
Who does this impact?
- Federal agencies
- Cloud service providers (CSP)
- Third-party assessment organization (3PAO)
What are the benefits of the FedRAMP modernization initiative?
TL;DR—For agencies
- Increased vendor options within the FedRAMP marketplace
- Reduced wait time for CSPs in authorization process
TL;DR—For CSPs
- Reduced friction during the authorization process
- More clarity on how to meet security requirements
- Less time and cost spent on the authorization process
TL;DR—For 3PAOs
- Reduced friction between 3PAO and CSP during authorization process
- Increased clarity on how to evaluate CSPs
What prompted the GSA to improve FedRAMP now?
GSA is modernizing FedRAMP because of feedback from stakeholders. Both federal agencies and CSPs levied complaints about the current FedRAMP process. Agencies wanted more CSPs in the FedRAMP marketplace that they could then easily procure. CSPs wanted a more streamlined process so that they could get into the FedRAMP marketplace faster. The point of friction was the FedRAMP authorization process that hasn't evolved at the same pace as the transition from the on-premise, perpetual license delivery model to the rapid, cloud services model.
How will GSA deliver on its promises to modernize FedRAMP?
The full list of initiatives can be found in their public product roadmap document but the highlights are:
- Taking a customer-centric approach that reduces friction in the authorization process based on customer interviews
- Publishing clear guidance on how to meet core security requirements
- Streamlining authorization process to reduce bottlenecks based on best practices from agencies that have developed a strong authorization process
- Moving away from lengthy documents and towards a data-first foundation to enable automation of the authorization process for CSPs and 3PAOs
Wrap-Up
The GSA has made a commitment to being transparent about the improvements to the modernization process. Anchore, as well as, the rest of the public sector stakeholders will be watching and holding the GSA accountable. Follow this blog or the Anchore LinkedIn page to stay updated on progress.If the 18 month timeline is longer than you're willing to wait, Anchore is already an expert in supporting organizations that are seeking FedRAMP authorization. Anchore Enterprise is a modern, cloud-native software composition analysis (SCA) platform that both meets FedRAMP compliance standards and helps evaluate whether your software supply chain is FedRAMP compliant. If you're interested to learn more, download "FedRAMP Requirements Checklist for Container Vulnerability Scanning" or learn more about how Anchore Enterprise has helped organizations like Cisco achieve FedRAMP compliance in weeks versus months.