We are a volunteer group of senior cybersecurity professionals trying to improve FedRAMP.Β This group was initially formed as a result of a group discussion where we discussed the procedural and bureaucratic challenges regarding FedRAMP, mainly from a CSP perspective. Notes from that first discussion can be found at https://www.notion.so/fedramp-ab/Debut-Call-43db4b9bee54487abaad95b124f6327b?pvs=4
Note: We are not officially affiliated with any company, entity, or federal agency, including the GSA.
Weβre in the early stages of kicking off two separate work streams:
- A relatively short-term effort that involves collecting and distilling various CSP experiences with the FedRAMP process, focusing on the areas in which suboptimal experiences are shared. The current desire is for the output of this work to be shared publicly through multiple mediums, including a jointly written whitepaper, podcast discussion, presentation to the PMO, or even a conference panel.
- Sponsorship, whether itβs about finding a sponsor or about a federal agency finding it burdensome to sponsor.
- Interactions with the PMO and the common problem of inconsistency
- Typical challenges when dealing with a 3PAO on either the advisory or audit side
- A longer-term effort, which has the potential of taking years, is centered around working with industry and government to develop something akin to a FedRAMP sandbox which should allow for easier vetting of CSPs by government agencies without them needing them to commit to sponsorship during that initial testing phase fully.
Β