United States - The FedRAMP Ideation Challenge

Description

Added: Jun 24, 2019 4:39 pm

The FedRAMP Ideation Challenge
Shape how government performs cloud security authorizations.

Challenge
Reimagine the FedRAMP Security Authorization process and its supporting functions. 

Goal  
Hear unique perspectives and learn from Cloud Service Providers (CSPs), Agencies, Third Party Assessors (3PAOs), and all parties interested in cloud security and the authorization process.

Opportunity 
Inform the next iteration of government’s premier cloud security authorization program. 

Challenge: 
Although Agencies are adopting secure cloud technologies at record-high levels, challenges remain. The Federal Risk and Authorization Management Program (FedRAMP) strives to continuously improve how we support our customers. In an effort to enhance and evolve our program, the FedRAMP Program Management Office (PMO) seeks to leverage the power and insights of the cybersecurity community. Respondents have the opportunity to help guide what the PMO’s takes on next and ensure that the government keeps federal data secure while bolstering modernization efforts.
Goal: 
Participants should submit bold, innovative, and actionable ideas that offer a new perspective on the FedRAMP Authorization process. 
Security and cloud professionals, academia, and anyone interested or involved in the FedRAMP ecosystem are invited to participate in this opportunity to share their best thinking on the next phase of FedRAMP. 
Opportunity: 
As technology evolves, it is important that federal Agencies manage information systems to address and mitigate security risks. We want to ensure FedRAMP continuously explores initiatives in support of a modern, efficient, and effective authorization process in an effort to reduce time and cost, without compromising cybersecurity rigor.
This challenge provides FedRAMP’s stakeholders and the cloud security community at large the opportunity to directly inform and contribute ideas in support of a new approach to risk assessments and security authorization for cloud products and services.
Background:
FedRAMP standardizes the Federal Government’s requirements and approach to security assessment, authorization, and monitoring of cloud products and services (Infrastructure as a Service [IaaS], Platform as a Service [PaaS], and Software as a Service [SaaS]). The FedRAMP program established several cloud security baselines in accordance with FISMA and aligned with the NIST RMF and NIST SP 800-53. FedRAMP’s unified approach allows CSPs to demonstrate how they are safeguarding information using a single set of security requirements that is accepted by all executive branch Departments and Agencies. This “do once, use many” approach minimizes duplicative Agency-specific authorization efforts, inconsistencies, and cost inefficiencies. 
FedRAMP works closely with partners from industry and government  to promote the secure adoption of innovative information technologies. The FedRAMP PMO takes a continuous improvement mindset to its mission of creating transparent standards and processes to  accelerate federal Agencies’ adoption of cloud technologies and ability to leverage security authorizations on a government-wide scale. 
How Do CSPs Get a FedRAMP Authorization?
CSPs can achieve a FedRAMP Authorization from one of two approaches: through Agency partnership or through the Joint Authorization Board (JAB). Regardless of the authorization approach, the CSP and 3PAO must produce the same deliverables (documents, artifacts, and evidence files) to convey the risk associated with the cloud service offering.

JAB Authorization Process

Agency Authorization Process

Challenges with the “As-Is” FedRAMP Process:

As Agencies migrate to cloud technology, authorization challenges remain. FedRAMP is committed to providing workable and scalable solutions for our partners to advance the pace of secure cloud adoption.

STAKEHOLDER CHALLENGES

Industry

Time - Although there has been significant progress in reducing authorization timelines, more work is needed to improve the pace of authorizing new providers, approving significant changes, and on-boarding of new services. 

Cost - The technical modifications, testing, and security materials required for a vendor to achieve a FedRAMP Authorization is comprehensive and rigorous.  Depending on a vendor’s familiarity with these requirements, and the current “as-is” environment, costs can quickly escalate. 

Agencies

Reciprocity - Some agencies are not accepting FedRAMP Authorizations at face-value and require additional security requirements in addition to the FedRAMP baseline. This action transforms the ATO process from a risk-enabling practice to a labor-intensive exercise and loses sight of FedRAMP’s intended “do once, use many” goal. 

Helpful Resources and Where to Start
FedRAMP PMO launched multiple projects and initiatives in the past in response to customer feedback. Take a look at previous improvement efforts and get a feel for the PMO’s approach to continuous process improvement:  

FedRAMP Accelerated 

FedRAMP Ready 

Agency Authorization Playbook 

CSP Authorization Playbook 

FedRAMP Connect

FedRAMP Tailored Li-SaaS Baseline

Submission Details:
Challenge participants are encouraged to submit any idea that could improve and benefit authorization process. No idea is too small! 
Participants should submit their idea to info@fedramp.gov by 5pm EDT August 13, 2019 with the subject line: “FedRAMP Challenge Response.” Submissions should be no more than 2 pages, 11 point Arial font attached to the message as a PDF or Word document. 
Responses should include brief details on your relationship to FedRAMP, such as how you would identify yourself (CSP, 3PAO, Agency, Industry, Interested Citizen, or other). All approaches to this challenge are welcome, but here is an optional outline to organize your response: 

Clearly identify and describe the improvement/Initiative

Detail existing challenges the improvement/initiative addresses

Provide a technical or management approach to implementing the idea 

Identify resources required for idea implementation and sustainment (e.g. level of effort, expertise needed, tooling,etc.)

Describe intended outcomes of implementing the idea

Develop and list metrics to successfully monitor and manage initiative post implementation  

Please keep in mind that we do not want to compromise security rigor! 
Submissions will be reviewed by the FedRAMP PMO. As a result of this challenge and internal efforts, FedRAMP will define its next big move as a program and communicate the results of this effort through the Focus on FedRAMP blog. The PMO will also release a Special Notice on FedBizOps and on GSA eBuy as part of a larger coordinated effort to gather ideas from the broadest possible community. These public announcements will contain a direct link to the FedRAMP website for further details about the ideation challenge. 
Thank you for your effort and commitment to partnering with FedRAMP to improve cybersecurity for all. 
Rules and Conditions:  

FedRAMP will not respond to each submission individually but may reach out via email to individual submitters for clarification if needed.

This is a targeted open crowdsourcing and ideation activity to collect insight and is not a competition where prizes may be awarded. 

Please do not submit proprietary information. Any information provided may be incorporated into the design of the project. Information submitted in response to this notice is subject to disclosure under the Freedom of Information Act. Respondents are advised that the Government is under no obligation to acknowledge, compensate or provide feedback with respect to any information submitted under this notice.

By participating in this crowdsourcing activity, submitters agree to hold GSA harmless from all legal and administrative claims to include associated expenses that may arise from any claims related to their submission or its use.

GSA will not be responsible for any claims or complaints from third parties about any disputes of ownership regarding the ideas, technology, white papers, prototypes, or images included in submissions.

GSA reserves the right for any reason to modify or close the challenge at any time.

Opportunity closing date

13 August 2019

Value of contract

to be confirmed