The Federal Risk and Authorization Management Program is nearing full operating capability, a General Services Administration official said Thursday.
Maria Roat, who became director of FedRAMP three months ago, said the program, which has been at initial operating capability since last June, will move to full operating capacity this summer.
Roat, speaking April 25 at an AFCEA Bethesda breakfast at the North Bethesda Marriott, said her office has been busy creating baselines for the entire FedRAMP process. Doing so will allow federal agencies to know what they can expect in terms of delivery of different cloud-computing services.
“It’s about setting expectations,” Roat said. “We’ve done an end-to-end look, so we can say with confidence that a certain action will take a certain amount of time to give everyone involved a picture of the full process.”
Over the past 18 months, FedRAMP has been reaching out to the federal agencies, educating them on what the program intends to be, she said.
“The agencies don’t have to use cloud service providers that have ATOs (authority to operate),” Roat said, “so if there is a provider they like, the agency can use the baselines we’ve created to use make sure they fit the necessary standards.”
Roat added as part of the outreach, GSA held an agency day last month and a webinar last week with the latter discussing some small changes to the program as outlined in the PortfolioStat 2.0 guidance.
One thing Roat said the federal government would like from vendors working in a cloud brokerage model, like FedRAMP, is the ability to get security feeds from them opposed to an annual audit from a third-party organization.
“We know vendors don’t want us to see their own vulnerabilities, and I understand that,” Roat said. “But any of that information we learn, we would keep it in-house. It’s not like wer’e going to go out and talking about it. We just want data on our own systems.”