Federal officials and vendors will be getting more advice about the Federal Risk and Authorization Management Program (FedRAMP) in the form of a new website, new training modules and procurement guidance to help them incorporate security authorizations in cloud contracts.
"We're looking to change the user experience with FedRAMP," program director Matt Goodrich said during a panel discussion hosted by the Association for Federal Information Resources Management (AFFIRM) on Feb. 19.
The new FedRAMP.gov website will be launching next month, incorporating a new design that will make it easier for interested parties to find the information they need.
The FedRAMP program office has been in talks with stakeholders about what they'd like to see in a new site and even reached out to disinterested civilians — in the form of Goodrich's friends — to see how the average person navigates the current site.
"Most of our information is actually in all of our documents," Goodrich said. However, "We don't really have a 100,000-foot view of FedRAMP on our website right now. Functionally, what is FedRAMP … we're making sure we have that high level view."
The new site will also launch with a training module to help vendors and government agencies understand what FedRAMP is and how to begin the process. This first module will be "high level," Goodrich said, explaining how the process works and how agencies and vendors interact with the program.
There will only be one module at first but the PMO expects to launch several more over the next few months and continue to develop new training programs as needed.
"Coming into the security process for any vendor is very difficult. And for many of the agencies, getting into the cloud is a little scary because it's definitely a different way of using IT services," Goodrich said. "So as we have those lessons-learned, why don't we just share those and make sure it's out there in a way that people can do it at their own speed?"
Ultimately, Goodrich hopes to offer a whole catalog of training modules to address every aspect of the FedRAMP process.
Finally, the FedRAMP PMO is working on new procurement guidance that will give agencies a template for including FedRAMP in future contracts and solicitations.
The guidance will be "loosely based off of the modular IT guidance that came out through OMB," Goodrich explained. "This is what security authorizations are, this is what FedRAMP compliance means. Then through the uniform contract format, here are considerations in each area for FedRAMP and talking points on how to incorporate them in there and sample language that people can put in there."
The draft guidance is still in development, though Goodrich said stakeholders can expect to see a request for comment soon.
Once finalized, it will likely be included in one of the future training modules, as well.