FedRAMP Issues a New Challenge: Help Us Improve

If you have issues with the Federal Risk and Authorization Management Program process—and ideas to make it better—now is the time to speak up through the Ideation Challenge running for the next four weeks.

FedRAMP was created to provide a central certifying body to validate the security of cloud products being sold to federal agencies. However, while it was established to streamline the process, it has instead become marked as a primary bottleneck to adopting cloud technologies in government.

Any system—infrastructure, platforms, software applications—running on or being used by federal agencies must go through a rigorous process and be certified with an authority to operate, or ATO. While agencies can—and most often do—complete the certifications internally, the FedRAMP program is meant to offer provisional ATOs that can then be reused throughout government.

The problem: The FedRAMP ATO process is often long and expensive for the companies seeking authorization, and once received agencies are reticent to rely on others’ work when it’s their data on the line.

The FedRAMP Program Management Office and its parent office, the Technology Transformation Services, are well aware of these issues.

In a July 17 hearing before the House Oversight Subcommittee on Government Reform, TTS Director Anil Cheriyan outlined three steps the FedRAMP program is taking: a working group under the government-industry partnership ACT-IAC, improving the process through automation, and conducting more outreach with stakeholders. During a keynote Wednesday, he offered a fourth: the new Ideation Challenge.

“Help us understand how to make the changes happen,” Cheriyan said at the Federal Cloud Marketplace Forum hosted by ATARC. “We want really bold, innovative ideas—innovative and actionable ideas, I should say.”

Specifically, Cheriyan said he hopes to hear ideas about how the program can move faster, either through automation or by streamlining the process.

He also stressed that feedback and suggestions can be about more than just technology.

“It can be process questions, it can be risk-based questions,” he said, adding that solution might be non-technical in nature.

Ashley Mahan, acting FedRAMP director, echoed that sentiment, adding that the program office wants to hear from everyone, not just the IT and security departments.

“If you’re a technologist, if you’re in sales—whatever information that you have that would be useful and that you can contribute to help us evolve and come up with a FedRAMP 3.0, we’re asking for your help today,” she said.

“I’m a big believer that industry has a lot of excellent solutions out there. It’s just a matter of harnessing it and getting that feedback,” Mahan said. “So, that’s what this challenge is set to do.”

Mahan offered a list of areas she expects to hear about.

“How can FedRAMP meet your customer needs? What is it we can do to improve the authorization process? What does that mean in terms of FedRAMP deliverables? How should we be looking at this end-to-end authorization process? What haven’t we figured out?”

The challenge itself—posted to FedBizOpps and the General Services Administration’s Challenge.gov—leaves the framework for responses open but offers an optional template through leading questions, such as suggesting respondents reframe the issue at hand, provide a technical and process breakdown of their idea, and identify potential resources and metrics for implementation.

Per the notice: “No idea is too small!”

Those with ideas have until 5 p.m. Aug. 22 to submit.