In collaboration with the Office of American Innovation (OAI) and American Technology Council, GSA and FedRAMP have been working to improve the security authorization process across the federal government. Our ultimate goals include:
Reducing toil that inhibits our ability to scale improvements.
Decreasing errors from manual activities.
Increasing speed to process (approvals and identification of issues).
Increasing value-add of machine-readable data for improving risk management.
One key component of this effort is identifying ways to incorporate automation into the Authority to Operate (ATO) process. To assist agencies and industry collectively, GSA is issuing a Request for Information (RFI) in order to have a better understanding of the existing commercially available products and practices that the government could use to automate any portion of the ATO process. Ideally, the government is looking for tools that are already available, rather than conceptual tools, that could be used to automate the process and support federal priorities already underway like the Continuous Diagnostics and Mitigation (CDM) as well as Ongoing Authorizations priorities managed by the Department of Homeland Security (DHS).
Some challenges of the authorization process faced by vendors and agencies include complex and time consuming processes, demanding documentation requirements and manual processing. Our goals for automation are to streamline the process, reduce the timeframe for authorizing an information system, reduce risk of human error, provide real-time data to understand vulnerabilities, and mitigate risk.
The information gathered through this RFI will help feed recommendations to the OAI on how to automate the ATO process, in whole or in part. In the short term, this can potentially be turned into a white paper on available tools and techniques that agencies could use when undertaking the authorization process. Additionally, vendors with readily available tools may be asked to do a demonstration of their tool’s capabilities for GSA and OMB. In the long-term, the information collected will empower GSA and the federal government to make more informed decisions about the tools available to encourage interoperability.
FedRAMP would like to encourage any industry partners that have a service that would meet these requirements to respond to the RFI by July 25th at 5:00pm eastern. Thank you for your continued partnership and input as we strive to continuously improve how we work with industry.