Earlier this year, the General Services Administration (GSA) announced a significant update to the Federal Risk and Authorization Management Program (FedRAMP). Named FedRAMP 20x, the focus of this initiative is on introducing automation to increase the pace of authorizations.

The Phase One pilot of this effort trialed a new approach to FedRAMP Low authorization. This automated process focused on Key Security Indicators (KSIs) rather than the traditional NIST SP 800-53 narrative control set. Vendors meeting the KPIs were granted a 12-month FedRAMP Low authorization. Using this process, the first FedRAMP authorizations were issued in just four months.

The GSA is now kicking off Phase Two, which will look at granting FedRAMP Moderate authorizations. Participation in this pilot is by invitation only, in order to ensure the small FedRAMP staff concentrates efforts on participants that are well-positioned to achieve Moderate authorization. The focus of this phase, "quality, not quantity,"-- is aimed at fine-tuning automated processes, with a target of 10 approved solutions. Continue reading →