GSA Blog

Accelerating the secure bridge between industry and government: A roadmap for FedRAMP

The American public expects government technologies and websites to be secure and easy to use. They expect the government to use and deliver the same modern technologies that they see in commercial services. And of course, they expect government agencies to protect their data and personal information, keeping cybersecurity top of mind.

To meet all of these challenges, government agencies frequently rely on technologies from external partners who can offer the latest innovations, best practices, and cutting-edge technology. 

Cloud-based services, in particular, can help provide the modern tools and platforms for agencies to fulfill their missions while meeting the expectations of the public.  

That’s why, a decade ago, GSA established the Federal Risk and Authorization Management Program. FedRAMP helps agencies that want to buy and securely use products that help them deliver on their missions while keeping systems and sensitive information safe. 

Today, FedRAMP is releasing a public roadmap [PDF] of how it will meet those big challenges, laying out the features and changes that both federal agencies and cloud providers can expect to see over the next 18 months. 

“This roadmap is the new vision that we need - and that both buyers and sellers expect - from the clearinghouse and driver for secure, cloud-based services for government,” said Robin Carnahan, GSA Administrator. “We’re going to build technical capacity and expertise, more clearly define security expectations, establish reciprocity where it makes sense, and focus on automation and continuous monitoring while helping agencies get the secure cloud innovations they need to deliver.” 

“This is yet another important milestone in the evolution of the FedRAMP Program,” said Clare Martorana, Federal CIO from the Office of Management and Budget. “The roadmap will further enable the secure and efficient adoption of cloud technology, safeguarding critical information and infrastructure while accelerating innovation for agencies and the public they serve.”

“The FedRAMP roadmap released today is an important step forward laying out needed, achievable improvements to the FedRAMP program,” said Harry Coker, Jr., the White House National Cyber Director. “The roadmap will help federal agencies continue their cloud migration while ensuring our federal systems, and ultimately the nation, are protected.”

About FedRAMP

Sitting within GSA’s Technology Transformation Services, FedRAMP is first and foremost a security and risk management program that acts as a bridge to the commercial cloud service industry and the U.S. government. FedRAMP centralizes and standardizes the review of secure cloud services, sharing that review with agencies. It then authorizes many of them for federal use, making them available on the FedRAMP Marketplace. 

Agencies can acquire these cloud services more quickly and easily than they typically could on their own. And the cloud service providers benefit from having their services vetted in one place rather than undergoing repeated security reviews at many agencies. The FedRAMP team works closely with both of these groups - buyers and sellers - as well as others to drive its strategy. The goal is to focus on the customer while expanding the FedRAMP Marketplace, making navigation easier and including more of the tools that agencies need.

Plan for progress

FedRAMP has organized its new roadmap around the goals of customer experience, cybersecurity leadership, growing the trusted FedRAMP marketplace, and operating on a foundation of technology and data.

You can read more on FedRAMP.gov about its specific roadmap initiatives, which include:

• Supporting secure software development by shifting to a process that incentivizes more rapid development and deployment of security features.
• Rethinking how the program measures success, based on customer research, to focus on driving down time and costs experienced by agencies and cloud providers in the FedRAMP process. 
• Strengthening the core security expectations underlying all FedRAMP authorizations, and publishing clear guidance for how to meet them.
• Partnering with agencies that have invested in strong FedRAMP authorization processes to establish a significantly more streamlined process with fewer bottlenecks.
• Moving FedRAMP away from relying on lengthy documents and towards a data-first foundation for automating key pieces of the FedRAMP process.

Where FedRAMP is heading

With an eye towards the future, FedRAMP is scaling to meet industry demand and building on the goals laid out in the 2022 FedRAMP Authorization Act, and the recently released draft policy memorandum from the Office of Management and Budget. GSA will soon open applications for the position of FedRAMP Director, an exciting opportunity to shape and build on FedRAMP’s vision for the future. 

FedRAMP is committed to transparency and participation as it moves forward. There will be opportunities for cloud service providers to work with the program to pilot roadmap initiatives, and FedRAMP expects many opportunities for public comment as policies and processes evolve. Like all roadmaps, the FedRAMP Roadmap is a living document and we expect to update it at regular intervals. 

For more information, you can view the roadmap [PDF], or email info@fedramp.gov.