FedRAMP working with NIST to apply automation

“… FedRAMP is working with NIST to apply automation to the program. Through the Open Security Controls Assessment Language (OSCAL), NIST and FedRAMP are hoping by applying the language to certification packages, it can reduce the time and effort to get companies FedRAMP certified.

‘We’ve made a lot of progress over the last year with NIST to get OSCAL ready to go. And of course, the partnership with our cloud service providers has been incredibly helpful,’ [Brian Conrad, the acting director of FedRAMP] said. ‘We have cloud service providers lining up wanting to be a part of pilot programs as are third party assessors who also are looking forward to this too. It’s critical because the implementation of the automation will help reduce the variability in the time and the resources needed to create all these security artifacts.’

Conrad said even with all of these ongoing improvements, FedRAMP had a strong year in 2020.

He said agencies and the JAB authorized 60 new cloud services and reuse of existing CSP authorities to operate grew by 55% last year…”

“Conrad said the broad goal with many of these initiatives is to ensure that consistency and rigor while continually reducing the burden of FedRAMP.

‘I tell this to the cloud service providers that I talk to, and the 3PAOs, that our policies and guidance, they form what I refer to as guardrails on a road. You can’t expect cloud service providers to line up down the center lane because everybody’s a different service model. There’s different technologies, and there’s different size businesses. So having our policy and our guidance being like the guardrails on a road, and the goal is keeping everybody in those guardrails,’ he said. ‘We assess cloud service providers in how they apply those things in a firm, fair and consistent manner, that provides a level of confidence to agencies that the package they’re getting is sound. When we step further into automation, where we have the automated validation and things like that, that’ll help increase the confidence level as well.’…” Read the full article here.

Source: A threat-based methodology is FedRAMP’s next step toward simplicity with rigor – By Jason Miller, May 6, 2021. Federal News Network.


This topic contains 0 replies, has 1 voice, and was last updated by  Jackie Gilbert 4 months, 3 weeks ago.

  • Author
  • #126679

    Replies viewable by members only


You must be logged in to reply to this topic.


Questions?. Send us an email and we'll get back to you, asap.


©2021 MileMarker10, LLC all rights reserved | Community and Member Guidelines | Privacy Policy | About G2Xchange FedCiv

Opportunities. Starting Points.

About our Data

The Vault is a listing of expiring contracts, task orders, etc. within a certain set of parameters, to include:

  • Have an initial total estimated contract value of $10 million or above
  • Federal Civilian Only – DHS, Transportation, Justice, Labor, Interior, Commerce, Energy, State, and Treasury Actions
  • NAICS codes include: 511210, 518210, 519130, 519190, 541511,
    541513, 541519, 541611, 541618,
    541690, 541720, 541990
  • Were modified within the last 12 calendar months
  • The data represented is based on information provided by the government

Who has access? Please note that ALL G2Xchange FedCiv Members will receive access to all basic and much of the advanced data. G2Xchange FedCiv Corporate Members will receive access to ALL Vault content (basic and advanced).

Feedback/Suggestions? Contact us at Vault@G2Xchange.com and let us know what you think. 

G2Xchange FedCiv

Log in with your credentials for G2Xchange FedCiv

Forgot your details?