U.S. flag

An official website of the United States government

FedRAMP 20x is building a new cloud-native approach to FedRAMP authorization with industry and entirely in public.

Phase 2 Pilot Assessment

The 20x Phase 2 pilot is also testing a new approach to independent assessment; participants must be prepared to collaborate with their assessor more closely than usual and assessors must be flexible to effectively contribute to the pilot process. The purpose of an independent assessment under 20x is to analyze and validate the information presented by the cloud service provider and attest to the quality and compliance of these materials so that FedRAMP can assess the provider’s overall security posture based on these materials.

The 20x Persistent Validation and Assessment standard outlines broad requirements and recommendations for this approach. Phase 2 pilot participants are expected to work with their assessor and FedRAMP to align on an assessment approach that makes the most sense. Assessors should be active participants, included in all meetings with FedRAMP, and expected to contribute lessons learned and other public comments during the creation of a formal process based on the Phase 1 and Phase 2 pilots.

What an Assessor Should Assess

As outlined in the 20x Persistent Validation and Assessment standard, the expectations for a 20x assessment are different from a historical Rev5 based assessment - the primary goal is for the assessor to ensure that the information provided by the pilot participant is accurate, makes sense, and is generally complete. A clean authorization package will allow FedRAMP to perform a quick and effective final assessment for authorization without undue expense borne by the government.

Both providers and assessors should understand that FedRAMP is not seeking a determination on the provider’s security decisions or a recommendation for authorization from the assessor. The provider should consider the assessor as a helping hand to verify that everything works the way the provider thinks it works, that it’s documented in a way that is consistent and makes sense, and that there is sufficient information for FedRAMP to complete the assessment. 

During the Phase 2 pilot, FedRAMP requests that most cloud service providers* engage a FedRAMP recognized assessor to provide assessment of at least the following:

  1. Has every recommendation and requirement and KSI been addressed in the materials created by the provider? Are there any obvious flaws or gaps?

  2. When a recommendation is not implemented, has the provider properly documented the reasons? Are there any obvious flaws or gaps in the reasoning?

  3. Are the technical capabilities used for automation effective and are resulting conclusions accurate? Are the technical capabilities well maintained and monitored?

  4. Will an automated validation fail if the success criteria was not met? Was this tested/observed?

  5. Are the automated inventories and processes for generating those inventories accurate and effective?

  6. Has the cloud service provider appropriately considered all relevant information resources for each KSI? Are non-machine-based information resources properly integrated into the materials?

  7. Are persistent, regular, and other schedules properly documented and adhered to?

FedRAMP encourages providers and assessors to go beyond these questions and include additional information and materials that are relevant or helpful to FedRAMP during the pilot process. If an assessor believes there is a gap in the pilot assessment requirements and the provider agrees, they should go ahead and assess that gap and provide information about this to FedRAMP.

* AI Prioritized cloud service providers may request a complete assessment directly from FedRAMP.

Assessor Obligations and the Phase 2 Pilot

FedRAMP will establish 20x-specific accreditation processes prior to wide-scale adoption of the 20x process but additional flexibility is required during the Phase 2 pilot. 

To maximize the success of the Phase 2 pilot, the following A2LA R311 requirements are waived by FedRAMP for assessor participants:

  • 4.7: After Action Reports for assessors do not need to be filed with A2LA

  • 5.2.3 F.1: Assessors may provide less than three team members to staff the pilot assessment if appropriate

  • 5.2.4 F.1: Assessors may assess systems in the pilot even if they have provided consulting services to the cloud service provider in the previous two years

  • 5.2.4 F.3: Assessors may provide assessment services to CSPs using tools owned or developed by the assessor (but must still document how impartiality is maintained)

  • 7.1.5 F.2: Assessors should request the CSP fill this form but it is not required for authorization

  • 7.4.1 F.1: FedRAMP expects assessors to be flexible in their approach to the pilot

  • 7.4.2 F.1: The authorization recommendation must be excluded

  • 7.4.4 F.1: The after action report does not need to be filed with A2LA and this will not affect authorization

In addition, the following aspects of the FedRAMP assessor Obligations and Performance Standards do not apply for assessor participants in the Phase 2 pilot:

  • Documentation Produced: The assessor should review the 20x Persistent Validation and Assessment standard and supply relevant documentation; Rev5 requirements do not apply and Rev5 templates should not be repurposed. Information provided by the assessor, individually or in combination with provider information, must enable the government to make timely, risk-based decisions without extensive interpretation or assumptions. The level of detail must be adequate for both risk executives and their technical subject matter experts. This information should be provided in a machine-readable format that can be integrated into the authorization package by the cloud service provider.
  • Impartiality: FedRAMP expects assessors to engage in active discussions with the cloud service provider during pilot assessments to work towards a complete and effective assessment. Assessors should not be directly providing consulting services but may make recommendations, share opinions, or otherwise support the cloud service provider during the pilot.

Background & Authority

All FedRAMP 20x authorizations are classified as Program Authorizations, signed by the FedRAMP Director, indicating that FedRAMP assessed a cloud service provider’s security posture and found it met FedRAMP requirements and is acceptable for reuse by agency authorizing officials (as defined in OMB Memorandum M-24-15). 

44 USC § 3611 (the FedRAMP Authorization Act) allows the FedRAMP to “use an independent assessment service to analyze, validate, and attest to the quality and compliance of security assessment materials provided by cloud service providers during the course of a determination of whether to use a cloud computing product or service.”

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov