What's in the future for FedRAMP?

The Federal Risk and Authorization Management Program is an evolving entity, intended to grow and morph as agencies increase their use of cloud computing. Here are two things that a future version of FedRAMP might include that could expand the situations it covers and improve its uptake:

More FedRAMP

FedRAMP approval is fine, but it's just the beginning

The program's standardized security controls can cover basic services like email and backup storage, but after that it gets complicated. Read more.

FISMA high

As the comfort level of agencies with both cloud computing and FedRAMP increases, many observers think the next level will be for FISMA high security requirements to join the low and moderate requirements that FedRAMP already covers. That will help alleviate many of the concerns people now have with some data security needs not being covered by the FedRAMP baseline, they say.

But it’s not that obvious, according to Maria Roat, director of FedRAMP at the General Services Administration. At meetings where the subject has come up, she’s been throwing back the question of whether the demand is for “high, high, high” security or just high availability of the data. Only about 12 percent of the needs across government are at the high level, she said, with the rest at low or moderate.

“When organizations such as intelligence agencies need a high (security) baseline, they keep the data in private clouds in their own data centers,” she said. “So far, agencies really aren’t stepping up and saying they need high confidentiality for FedRAMP.”

Standardized SLAs

Right now, agencies have to negotiate their own service-level agreements with cloud providers around FedRAMP, which takes time and can provide headaches for many, particularly given that most agencies will use two or more companies to provide services. 

“There is no FedRAMP SLA equivalent today,” said Kevin Jackson, vice president and general manager of  cloud services at NJVC. “I think a minimum set of SLAs for agencies across government would be a good thing [for the FedRAMP program], and that’s a good role for GSA to take on.”

The question of a standardized FedRAMP SLA is something that many agencies have brought up, Roat said.

“We don’t have a good answer for it yet,” she said, “but it’s something we are looking at.”

About the Author

Brian Robinson is a freelance technology writer for GCN.


  • automated processes (Nikolay Klimenko/

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected