The General Services Administration is looking to speed up the pace of authorizations under its Federal Risk and Authorization Management Program through working with industry on leveraging automation, as part of an effort that is somewhat spurred by the Trump administration making cuts to the cloud security initiative.
Under the FedRAMP 20x initiative, GSA is taking on an ambitious effort to revamp the program with the creation of four working groups that will serve as a place for stakeholders to come up with ideas to address continuous monitoring, automating assessments and applying existing frameworks.
“I think it was born out of a necessity frankly,” former FedRAMP acting director Brian Conrad told Inside Cybersecurity in the sidelines of the Zscaler public sector summit. Conrad moved to the private sector in April 2024 to join Zscaler as the cyber firm’s director of compliance.
Current FedRAMP acting director Pete Waterman discussed the major changes in FedRAMP 20x at a March 24 event hosted by the Alliance for Digital Innovation.
Conrad said, “If you look at the numbers, Pete talked about it, his contractors are gone and the budget has been cut. So how do you maintain a program that is vital to the government that requires innovation?”
“In a disruptive time, that is the opportunity to innovate. I think it’s a perfect opportunity to dive deep into the program, get agencies and industry more involved to see what is better on the outset,” Conrad said.
GSA announced several major changes to the program in a March 24 release including:
- No federal agency sponsor needed for simple, low-impact service offerings
- No unnecessary or duplicative paperwork
- Turn-key adoption for simple, cloud-native environments
- Engineer-friendly security requirements that are easy to implement
- Authorization in weeks for most cloud offerings
Jessica Salmoiraghi, senior director for IT modernization and procurement at the Business Software Alliance, spoke with Inside Cybersecurity on the challenges the program has experienced in recent years including delays in getting cloud service providers approved for agency use for up to two years.
BSA has been advocating for changes to the FedRAMP program since the Office of Management and Budget issued a memorandum in July 2024 making major adjustments to the cloud security initiative. The memo in response to FedRAMP Authorization Act from the fiscal 2023 National Defense Authorization Act, which formally codified the program.
Salmoiraghi said the memo eliminated FedRAMP’s Joint Authorization Board, which allowed CSPs to get their products approved without needing an agency sponsor through an authority to operate.
“One of the things that was heard loud and clear with the transitions [in Congress] and as the new administration came in is FedRAMP isn’t working the way that it should. This is taking too long and it’s too darn expensive so that’s what I think part of led to this FedRAMP 20x that launched this week,” Salmoiraghi said.
Before joining BSA in 2023, Salmoiraghi was GSA chief acquisition officer and associate administrator for GSA’s Office of Government-wide Policy. The FedRAMP program is run through a different part of GSA called the Federal Acquisition Service.
Salmoiraghi said, “FedRAMP has always had a challenge because of the way funding is structured for the program. It’s never been a line item on an appropriation, so they are always trying to get money from other sources.”
“Sources are getting squeezed right now. I can’t speak specifically to what the budget is for FedRAMP but I think if you are looking at what is happening at GSA, I would say everyone at GSA is having a very limited budget and that is probably reflected in the FedRAMP program too,” Salmoiraghi said.
At the ADI event, Waterman said the FedRAMP Program Management Office expects to complete the authorizations for cloud services that are still in progress by the end of April. The size of the FedRAMP is expected to decrease significantly with the cancellation of a major contract to support the program, according to media reports.
Despite the cuts, Salmoiraghi said BSA is encouraged by the creation of working groups under FedRAMP 20x because it will allow industry players to work directly with agencies on potential solutions as part of the revamp.
Now in the private sector, Zscaler’s Conrad said there is still a lot of value from the industry perspective in being part of FedRAMP and how it cuts across government to provide cloud service offerings for agency use. -- Sara Friedman (sfriedman@iwpnews.com)