The Federal Risk and Authorization Management Program (FedRAMP) is evolving how it selects vendors to provide security assessments, authorizations and continuous monitoring for cloud products and services, and is offering an online survey to get feedback before it finalizes its criteria for prioritization.
Survey: FedRAMP Prioritization Criteria
Working to prove FedRAMP Accelerated, the Program Management Office (PMO) and the Joint Authorization Board (JAB) are developing a strategic plan for how they will select vendors to provisionally authorize vendors as the program scales.
Invested in creating a broad marketplace of providers, PMO and JAB have established straightforward criteria for selecting future vendors:
-- FedRAMP Ready:
This is a go/no-go. Has a vendor completed a FedRAMP Readiness Assessment and the PMO approved them as FedRAMP Ready?
-- Demand:
This is a go/no-go and is scaled. Does a vendor have current or future demand by at least six agencies? This can be proven in a few ways — current customer list, vendor-supplied business case for meeting demand in a short time period (12-24 months), administration priority, and agency requests.
-- Preferences:
This criteria is not a go/no-go but will add additional weight to services that are equal in terms of demand.
Conversations with industry partners emphasized the importance of prioritizing vendors that had an approved FedRAMP Readiness Assessment, can demonstrate demand by at least six agencies — and proof that those orders were met — in a concise time period, and meet certain other preferences. Feedback is being requested before the criteria are finalized in 30-60 days.
The seven-question survey runs until Sept. 2.
