A top official from the White House’s Office of Management and Budget (OMB) said today that the General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) is quickly increasing the number of products on its FedRAMP Marketplace, thanks to its recent codification and new pilots to help shorten the review process.
The FedRAMP program is run by GSA to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal agencies.
OMB proposed new guidance in October to overhaul FedRAMP. The proposed guidance stems from the FedRAMP Authorization Act approved by Congress late in 2022, which codified the program into Federal law and required a laundry list of program modernization steps.
“As far as FedRAMP, I think we’re in a really good spot,” Drew Myklegard, the deputy Federal chief information officer (CIO) at OMB, said on Thursday at the GovForward: ATO and Cloud Security Summit.
“The memo’s coming, but in a unique way of OMB working, we really tried to get out ahead of it [and] figure out what was going to work, more like the way that we build software – which is like come up with a hypothesis, build it, and then we’ll put it in a policy,” Myklegard explained.
One key goal of the updated OMB guidance is to significantly scale the size and scope of the FedRAMP Marketplace. Myklegard said FedRAMP is “absolutely” increasing its throughput of authorizations following its codification, with close to 400 products or service offerings now available.
For reference, OMB said the FedRAMP Marketplace had around 300 different products or service offerings in April.
“When we authorize it once, it is authorized, and that’s a really important concept and one that we think will accelerate the number of products that we’re bringing in,” Myklegard said. “Every time I look at the marketplace, it’s going up, which is exciting.”
“We’re at hundreds of products … [and] we’ve been working on some pilots where we can shorten that time for FedRAMP reviews,” he added. “We’ll never catch up to the demand, but we are seeing more and more products come through, especially SaaS products. When they understand the process and it’s not their first time going through, it’s much quicker.”
The FedRAMP team has been busy in recent months. It published a new roadmap in February, outlining how the program will evolve in the next 18 months, focusing on key goals such as customer experience and cybersecurity leadership.
FedRAMP also published its final Emerging Technology Prioritization Framework last month, detailing which generative AI capabilities will be the first to be prioritized. The framework meets a requirement set by President Biden’s October 2023 AI executive order.
This week, FedRAMP also launched the Agile Delivery pilot, which will allow cloud service providers to more easily roll out new features without advance approval for each change.
“With everything that we’re doing, we’re building momentum, and we really hope you guys see the results soon,” Myklegard said. “Go look at the GSA roadmap, it’ll give you a great idea of where we’re going, … we’re really working with the FedRAMP Board to get out there and help agencies sponsor more products.”
Myklegard also said that GSA received over 400 applications to fill the currently vacant FedRAMP director position, teasing that a personnel announcement will be coming soon.
“We’re super excited about who they got to apply … [and] I’m super excited for when they name the next FedRAMP director,” he said.