United States - The FedRAMP Ideation Challenge

For more information and to make a bid you will need to go to the third party website.

Details

Provided by Open Opps
Opportunity closing date
22 August 2019
Opportunity publication date
24 July 2019
Value of contract
to be confirmed
Your guide to exporting
Report opportunity

Description

Added: Jul 23, 2019 10:51 am

The FedRAMP Ideation Challenge: Shape how government performs cloud security authorizations.

Although agencies are adopting secure cloud technologies at record-high levels, challenges remain within the FedRAMP process and across the FISMA and Risk Management Framework. 

The Federal Risk and Authorization Management Program (FedRAMP) strives to continuously improve how we support our customers. In an effort to enhance and evolve our program, the FedRAMP Program Management Office (PMO) seeks to leverage the power and insights of the cybersecurity community. Respondents have the opportunity to help guide what the PMO takes on next and ensure that the government keeps federal data secure while bolstering modernization efforts.

Goal

Participants should submit bold, innovative, and actionable ideas that offer a new perspective on the FedRAMP Authorization process. 

Security and cloud professionals, academia, and anyone interested or involved in the FedRAMP process are invited to participate in this opportunity to share their best thinking on the next phase of FedRAMP. 

Opportunity

As technology evolves, it is important that federal agencies manage information systems to address and mitigate security risks. We want to ensure that FedRAMP continuously explores initiatives that support a modern, efficient, and effective authorization process in an effort to reduce time and cost, without compromising cybersecurity rigor.

This challenge provides FedRAMP’s stakeholders and the cloud security community at large the opportunity to directly inform and contribute ideas in support of a new approach to risk assessments and security authorization for cloud products and services.

Background

FedRAMP standardizes the Federal Government’s requirements and approach to security assessment, authorization, and monitoring of cloud products and services. The FedRAMP program established several cloud security baselines in accordance with FISMA and OMB A-130 and aligned with the NIST RMF and NIST SP 800-53. 

In accordance with FISMA, each agency is required to issue an Authority to Operate (ATO) to authorize operation and accept the risk of using an information system. FISMA, and the President’s Executive Order, require agency heads to be responsible for information security risk within that agency and, while FedRAMP helps streamline and support agency risk determinations, ultimately that responsibility lies with the individual agency. 

FedRAMP’s unified approach allows CSPs to demonstrate how they are safeguarding information using a single set of security requirements that is accepted by all executive branch Departments and Agencies. This “do once, use many” approach minimizes duplicative Agency-specific authorization efforts, inconsistencies, and cost inefficiencies. 

FedRAMP works closely with partners from industry and government  to promote the secure adoption of innovative information technologies. The FedRAMP PMO takes a continuous improvement mindset to its mission of creating transparent standards and processes to  accelerate federal Agencies’ adoption of cloud technologies and ability to leverage security authorizations on a government-wide scale. 

How Do CSPs Get a FedRAMP Authorization?

CSPs can achieve a FedRAMP Authorization from one of two approaches: through Agency partnership or through the Joint Authorization Board (JAB). Regardless of the authorization approach, the CSP and 3PAO must produce the same deliverables (documents, artifacts, and evidence files) to convey the risk associated with the cloud service offering. 

Challenges with the “As-Is” FedRAMP Process

As Agencies migrate to cloud technology, authorization challenges remain. FedRAMP is committed to providing workable and scalable solutions for our partners to advance the pace of secure cloud adoption. The FedRAMP PMO identified four improvement areas to the current “as-is” process. 

Current Challenges

Time - Although there has been significant progress in reducing authorization timelines, more work is needed to improve the pace of authorizing new providers, approving significant changes, and on-boarding of new services. 

Cost - The technical modifications, testing, and security materials required for a vendor to achieve a FedRAMP Authorization is comprehensive and rigorous.  Depending on a vendor’s familiarity with these requirements, and the current “as-is” environment, costs can quickly escalate. 

Reciprocity - Some agencies are not accepting FedRAMP Authorizations at face-value and require additional security requirements in addition to the FedRAMP baseline. This action transforms the ATO process from a risk-enabling practice to a labor-intensive exercise and loses sight of FedRAMP’s intended “do once, use many” goal. 

Awareness - There are misperceptions that can potentially dissuade a CSP or Agency from participating in the program. There are several awareness challenges associated with the process, associated roles and responsibilities and available resources, including the FedRAMP Marketplace. 

For more information about FedRAMP and this challenge, please visit The FedRAMP Ideation Challenge page.

Rules and Conditions:  

FedRAMP will not respond to each submission individually, but may reach out via email to individual submitters for clarification if needed.

This is a targeted, open crowdsourcing and ideation activity to collect insight and is not a competition where prizes will be awarded. 

Please do not submit proprietary information. Any information provided may be incorporated into the design of the project. Information submitted in response to this notice is subject to disclosure under the Freedom of Information Act. Respondents are advised that the Government is under no obligation to acknowledge, compensate or provide feedback with respect to any information submitted under this notice.

By participating in this crowdsourcing activity, submitters agree to hold GSA harmless from all legal and administrative claims to include associated expenses that may arise from any claims related to their submission or its use.

GSA will not be responsible for any claims or complaints from third parties about any disputes of ownership regarding the ideas, technology, white papers, prototypes, or images included in submissions.

GSA reserves the right for any reason to modify or close the challenge at any time.

How to Enter: 

Challenge participants are encouraged to submit any idea that could improve and benefit the authorization process. No idea is too small! 

Participants should submit their idea to info@fedramp.gov by 5pm EDT on August 22, 2019 with the subject line: “FedRAMP Challenge Response.” Submissions should be no more than two pages, 11 point Arial font, and attached to the message as a PDF or Word document. 

Responses should include brief details on your relationship to FedRAMP, such as how you would identify yourself (CSP, 3PAO, Agency, Industry, Interested Citizen, or other). All approaches to this challenge are welcome, but here is an optional outline to organize your response: 

1. Clearly identify and describe the improvement/initiative

2. Detail existing challenges the improvement/initiative addresses

3. Provide a technical or management approach to implementing the idea 

4. Identify resources required for idea implementation and sustainment (e.g. level of effort, expertise needed, tooling, etc.)

5. Describe intended outcomes of implementing the idea

6. Develop and list metrics to successfully monitor and manage initiative post implementation  

Given the increasing capabilities of technology and innovative services, it is our expectation that new ideas can propose improvements in ways that continue or improve security rigor. 

Submissions will be reviewed by the FedRAMP PMO. As a result of this challenge and internal efforts, FedRAMP will define its next big move as a program and communicate the results of this effort through the Focus on FedRAMP blog. 

As part of a larger coordinated effort, the PMO also posted this ideation challenge on Challenge.gov in order to gather ideas from the broadest possible community. 
 
Thank you for your effort and commitment to partnering with FedRAMP to improve cybersecurity for all.

Opportunity closing date
22 August 2019
Value of contract
to be confirmed

About the buyer

Address
General Services Administration Office of Acquisitions (TC) United States

The deadline to apply for this opportunity has passed.
Visit the opportunities page to find another.

Is there anything wrong with this page?