U.S. flag

An official website of the United States government

FedRAMP 20x is building a new cloud-native approach to FedRAMP authorization with industry and entirely in public.

Phase 2 Pilot Authorization Process

The Phase 2 pilot authorization process builds on lessons learned in Phase 1 to ensure that qualifying participants are developing pilot authorization packages and having them assessed in alignment with FedRAMP’s goals for the 20x pilot. Providers must fully qualify for participation in the Phase 2 pilot prior to entering the Phase 2 authorization pipeline.

Participants should be prepared for an interactive collaborative process with FedRAMP - unlike typical FedRAMP authorization or the Phase 1 pilot, participants will work closely with FedRAMP prior to developing a complete package and having it assessed.

The authorization preparation phase, prior to submitting a formal authorization package to FedRAMP for review, will include:

  1. Collaborative Workshops: FedRAMP will host multiple two-hour workshop sessions with each cloud service provider and their assessor to discuss the cloud service provider’s specific approach to each Key Security Indicator, provide initial feedback, and listen to concerns. These workshops will continue until all Key Security Indicators have been discussed - expect at least 3 of these sessions within 2 weeks. Representatives from the assessor must attend these workshops.\ \ These Collaborative Workshops will include the FedRAMP Director, the FedRAMP Security Director, and senior FedRAMP staff. They will be recorded for internal FedRAMP review and training.

  2. Alignment and Refinement: The cloud service provider will refine their approach and share updates with FedRAMP to be confident that their approach is aligned with FedRAMP’s expectations (including expectations for the assessment). This will likely include multiple shorter check-ins.

Once both parties are confident that the cloud service provider is prepared to submit a package that meets the spirit and intent of the Phase 2 pilot, the cloud service provider will complete the initial package and undergo a full assessment by their assessor following the requirements and recommendations in the 20x Persistent Validation and Assessment standard. 

Post-assessment, the final package (including assessment results) will be submitted to FedRAMP for collaborative review and tuning as necessary prior to pilot authorization. Expect multiple meetings and discussions during the collaborative review process to ensure all parties are confident in the authorization package!

Qualifying participants will receive a 12-month FedRAMP 20x pilot authorization once the final pilot package has completed review by FedRAMP after the relevant deadline. This pilot authorization will be at either the Moderate or Low impact level depending on FedRAMP’s assessment; if a package targeted Moderate but only receives a Low authorization, FedRAMP will include guidance on the gaps that should be addressed to achieve Moderate in a future assessment.

Ensuring a Smooth Authorization Process

The Phase 1 pilot uncovered some complications with communication and access during a pilot that wasn’t following a standardized process. FedRAMP does not want to restrict innovation in Phase 2 but has some additional expectations for participants to optimize communication and ensure a smooth authorization process.

Selected participants for Phase 2 will be expected to implement the following actions as they participate in the pilot:

  1. Assign a primary point of contact for FedRAMP that will coordinate meetings, schedules, etc. This should be a single individual. This individual can add others to meeting invites/etc. as needed (it is just easier and smoother to coordinate with one person who can coordinate for your side).

  2. Create a provider-hosted mailing list for general communications with the appropriate folks on the provider side added to the list; please ensure anyone with an @gsa.gov email address can send messages to this list.

  3. Be prepared to grant access to, respond to questions from, and otherwise interact with many different people from FedRAMP as a majority of our staff will be engaged in the pilot.

For questions and communications with FedRAMP, please email 20x@fedramp.gov unless otherwise specified.

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov