Cloud

FedRAMP 20x Aims to Leverage Automation Like Never Before

The program will allow agencies to adopt cloud and AI services more quickly by streamlining compliance through standardized, automated processes.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

00:00

The General Services Administration’s move to FedRAMP 20x should make it easier for agencies to monitor the compliance of cloud-based artificial intelligence systems in real time.

FedRAMP 20x is envisioned as a more agile cloud access management framework than the original Federal Risk and Authorization Management Program, which relies on a single snapshot in time when approving cloud services for agency use.

GSA announced FedRAMP 20x March 24 as a means to accelerate government cloud adoption, but enhancing the effectiveness of continuous monitoring to catch data integrity issues and evolving threats faster is important as AI becomes more prolific.

“FedRAMP is working with industry and other stakeholders to take a more cloud-native approach to authorization by using automation to make security and compliance faster and more efficient, leveraging industry-leading security standards and commercial frameworks,” says Chris DeRusha, director of global public sector compliance for Google Cloud.

Click the banner below to dive into CDW's latest cloud research.

A “Constantly Updating” Cloud Services Authorization Program

Automation allows agencies to continuously monitor compliance, quickly find potential risks and reduce time spent on manual reviews.

“The previous approach of reviewing periodic assessments simply could not keep up with today’s fast-moving threat environment,” DeRusha says.

Automating as much of the authorization process as possible will ultimately enable the government to procure more secure, innovative solutions as they come to market — instead of years later, he says.

By automating as much as 80% of security controls, agencies will be able to generate compliance documentation more efficiently and receive real-time updates on security posture.

“At the click of a button, I can find out the current state of security of a particular system,” says Jonathan Alboum, federal CTO at ServiceNow and former CIO of the Department of Agriculture.

“The reason the automation piece is so critical is that the manual and paper-based process took a long time,” Alboum says. “When we automate, we not only reduce the time to complete assessments, we improve the accuracy, we reduce human error and we create a system that is constantly updating.”

GSA must also take steps to encourage consistent implementation across agencies, as well as reciprocity with the Department of Defense.”

Chris DeRusha Director of Global Public Sector Compliance, Google Cloud

Working with Industry to Apply Automation Best Practices

GSA established four FedRAMP 20x working groups for industry stakeholders, emphasizing the importance of industry collaboration in shaping the framework. The working groups will focus on areas such as continuous monitoring and applying automation practices used in other regulated sectors.

“Closer alignment between government and technology providers will be essential to keeping pace with innovation while meeting evolving compliance expectations,” Alboum says.

The biggest challenge agencies may face will be ensuring their personnel have the tools, training and other resources to shift from the current labor-intensive, task list-driven process to a faster, largely automated approach.

“GSA must also take steps to encourage consistent implementation across agencies, as well as reciprocity with the Department of Defense,” DeRusha says.

The transition will involve adopting new tools, automating security checks and changing the mindset around compliance from viewing it as a one-time task to an ongoing effort.

“It is a big adjustment, but it will make security stronger and improve operational efficiency,” DeRusha says.

WATCH: NSF is growing a national artificial intelligence innovation ecosystem.

taylanibrahim/Getty Images