In the ever-evolving landscape of government cloud security, speed, and simplification are needed to make cloud useful. The Business Software Alliance (BSA) previously cautioned against complex cloud authorizations that took too long while inhibiting government adoption. The General Services Administration (GSA) introduced FedRAMP 20x at the end of March, which is a modernization effort aimed at refining the Federal Risk and Authorization Management Program (FedRAMP) to better accommodate the complexities of cloud security authorization.
Industry Feedback on FedRAMP’s Evolution
BSA addressed several concerns regarding the state of FedRAMP in an October letter to the program. It highlighted three issues; 1) uncertainty for Joint Authorization Board (JAB)-prioritized authorizations, 2) extended Program Management Office (PMO) review times, and 3) ambiguous requirements. BSA emphasized the need for clear and efficient pathways to authorization, especially for cloud service providers (CSPs) that have invested significant time and resources into the process. The organization urged FedRAMP to leverage existing security verification work to expedite authorizations and avoid unnecessary delays in providing essential cybersecurity services to federal networks.
FedRAMP 20x: A Response to Industry Challenges
FedRAMP 20x aims to address these industry concerns by implementing several key changes:
- Streamlined Authorization Processes: By simplifying procedures and reducing bureaucratic hurdles, FedRAMP 20x seeks to make the authorization process more efficient for CSPs.
- Enhanced Automation: The initiative plans to automate over 80 percent of security requirement validations, minimizing manual processes, and expediting approvals.
- Flexible Sponsorship Requirements: For certain low-impact service offerings, the need for a federal agency sponsor has been removed, lowering barriers to entry for CSPs.
- Collaborative Development: Establishing Community Working Groups comprising of industry stakeholders and agency experts to design the new assessment process, ensuring it reflects the needs and insights of all parties involved.
Balancing Security With Efficiency
The introduction of FedRAMP 20x reflects an understanding that effective cloud security authorization requires a fast and adaptable approach. By addressing industry feedback and embracing the complexities of the digital landscape, FedRAMP 20x aims to balance the need for rigorous security assessments with the imperative for rapid technological adoption. As the program evolves, continuous engagement with industry and agency partners will be crucial to ensure that FedRAMP 20x meets its objectives and effectively addresses the dynamic challenges of cloud security in the federal space. BSA will continue to engage with the program, the Administration, and the Congress to improve this program and help the federal government modernize IT effectively.