The General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) is exploring creating a new funding source by potentially charging cloud providers as part of their efforts to go through the FedRAMP process.
FedRAMP aims to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal agencies.
The program has undergone big changes this year, publishing a new roadmap in March detailing how FedRAMP will evolve in 2024 and 2025.
In a blog post released Dec. 20, FedRAMP said that since 2022, there has been a 66 percent increase in demand for the program from both agencies and cloud providers.
“Our authorization capacity, on the other hand, did not grow to meet it and has remained at around the same levels before and after 2022. Put simply, demand has increased,” FedRAMP wrote.
GSA’s revamp of the program over the past year “is starting to address some of the long-term root challenges in FedRAMP, while making it clear what our capacity constraints are as a program, particularly with a still-modest team.”
“We also know our stakeholders are eager to see our efforts translate more quickly into increased program capacity, including a new pathway to authorization led directly by FedRAMP, and a quicker and more straightforward review experience,” the blog reads.
FedRAMP continued, “For the process to change in some of the fundamental ways that agency and cloud customers want it to, we believe it’s worth exploring creating a new funding source. As part of that we want to open the conversation around potentially charging cloud providers as part of going through the FedRAMP process.”
FedRAMP is seeking comments through Feb. 28, 2025, on how an approach to charging cloud providers could be implemented in a way that is fair and appropriate for smaller businesses.
“With a thoughtful and customer-sensitive approach, we believe that having a funding source that can grow at the same time as demand grows will let us move more authorizations through the system and oversee cloud providers in a more flexible way – which could ultimately save companies money and time overall,” FedRAMP said.
The blog offered four ideas on how a demand-responsive funding source could change how FedRAMP works, including: continuous monitoring before authorization; more pilots with quicker expansion; more centralized security oversight; and more people doing reviews.
FedRAMP is seeking feedback from organizations on this potential new fee service model and is particularly interested in hearing how it can design a cost model that is right for smaller businesses. It also wants information on other security programs that charge money that would be good models for FedRAMP to consider.
FedRAMP emphasized that it is at the “early stage of discovery and a decision to charge cloud providers has not been made.”
“Any final plan will be informed by your input and involve direct consultation with cloud providers – particularly smaller businesses to whom we do not want to make it harder to enter the federal market – as well as a hefty amount of internal government coordination,” the blog concludes. “We’re opening this dialogue because we believe increased funding to support scale may be necessary for FedRAMP in order for it to work the way that everyone – including us – wants it to.”