FedRAMP Begins to Implement Its Vision: Introducing the Agile Delivery Pilot, Developer’s Hub and Knowledge Management System

08/01/2024|2 minute read

In our recent article, we discussed FedRAMP's Roadmap to the Future, outlining FedRAMP's ambitious plan to breathe new life into the FedRAMP program by, among other goals, updating the authorization process and automating key deliverables in the FedRAMP program, including the Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plan of Actions and Milestones (POA&Ms).

FedRAMP has now launched several initiatives to meet its goals. These include the agile delivery pilot, a new Developer's Hub to support developers' migration to machine-readable deliverables and draft guidance for the knowledge management system.

Agile Delivery Pilot

FedRAMP's agile delivery pilot is a key part of its goal to streamline FedRAMP compliance. The pilot program's goal is to allow cloud service providers (CSPs) to launch new services and features without agency approval.

Currently, CSPs must complete testing and receive approval before rolling out new features that could impact security. This process delays product improvements, which, in turn, increases risks and opportunity costs. FedRAMP remains committed to ensuring the security of FedRAMP authorized services, but seeks to alleviate the downsides associated with the current approval process. In its place, the agile delivery process is based on continuous assessment rather than a point-in-time assessment.

FedRAMP established specific requirements for CSPs that wished to participate in the agile delivery pilot, as detailed on the Agile Delivery Pilot: Non-Blocking Change Request - Phase 1 New Features page of FedRAMP's website.

Developer's Hub

FedRAMP has also created a Developer's Hub designed to support CSPs completing their digital authorization packages as well as support developers who are creating applications and tools that produce digital authorization package data.

As discussed in our previous post, FedRAMP is moving toward automating the authorization process through a common machine-readable language known as the Open Security Controls Assessment Language (OSCAL). The Developer's Hub is an open-source community for engineers developing tools that CSPs can use to create their digital authorization packages and run continuous monitoring.

The Developer's Hub will initially support digital authorization packages developed with OSCAL. In time, FedRAMP plans to expand the website to include additional features and capabilities.

Knowledge Management System

FedRAMP is also publishing educational articles for CSPs to help them avoid common problems known to delay the FedRAMP compliance process. FedRAMP's first knowledge base article explains how to protect government email addresses from spoofing using DMARC (Domain-based Message Authentication, Reporting and Conformance).

FedRAMP is inviting feedback on the article's structure, clarity and helpfulness to ensure the material is useful to CSPs and other stakeholders. This DMARC article will be the first of many over the next several years that will be housed in a dedicated knowledge management system for CSPs.

Taking Action

Entities interested in FedRAMP authorization can take advantage of this development period to submit comments and influence how FedRAMP operates for years to come.

This is also an opportunity to learn about the process as it is being implemented. FedRAMP is not only asking for feedback from interested stakeholders but also publishing an ever-increasing amount of guidance and opinions. Whether you want to shape the program's direction or simply learn about the FedRAMP's key topics, now is the time to become involved and knowledgeable about this evolving program.

We are here to help if you have any questions regarding the upcoming changes or opportunities to comment on FedRAMP draft guidance documents.

Public link

Please use the above public link if you want to share this noodl on another website.