FedRAMP 20x – 一个月内取得的快速进展

FedRAMP 20x – 一个月内取得的快速进展
FedRAMP 20x – One Month in and Moving Fast

原始链接: https://www.fedramp.gov/2025-04-24-fedramp-20x-one-month-in-and-moving-fast/

FedRAMP 20x项目首月进展迅速，其核心目标是通过协作和将安全置于合规之上的理念来推动FedRAMP现代化。主要成就包括：授权29项新的云服务，授予7个FedRAMP Ready资质，并将审查队列规模缩减至2022年7月以来的最小值。FedRAMP团队积极参与利益相关者会议、工作组和公开论坛，解答了1200多个问题。目前，数项拟定标准正公开征求意见，包括20x第一阶段试点项目中的关键安全指标、重大变更通知标准和最低评估范围标准。FedRAMP还积极支持GSA的人工智能优先事项，正在开发内部系统和人工智能工具使用指南。展望未来，重点是启动FedRAMP 20x第一阶段试点项目（该项目将为云服务提供快速授权），并通过利益相关者的反馈持续改进。尽管一些长期团队成员离职，但FedRAMP仍致力于实现其20x目标。

Hacker News 正在讨论“FedRAMP 20x”计划，该计划旨在加快美国政府使用的云服务获得 FedRAMP 合规认证的速度。FedRAMP 制定了安全标准，而此前，获得合规认证是一个漫长而昂贵的过程。一些评论员认为 FedRAMP 官僚主义盛行，阻碍了创新，反而有利于 Oracle 和 AWS 等老牌厂商。批评者认为合规工作并不一定能提高安全性，反而促进了市场整合，而支持者则认为它创建了一个通用的安全标准。降低 FedRAMP 门槛的倡议被视为一把双刃剑，它可能向小型云提供商和初创企业开放市场，但也引发了对安全、数据保护和监管的担忧，尤其是在快速采用新技术可能带来的风险方面。一些人推测，这一变化可能会让像埃隆·马斯克这样的公司更容易获得批准。值得注意的是，这项计划的重点是托管受控非机密信息 (Controlled Unclassified Information) 的 FedRAMP 服务，而不是机密国家机密。

FDA将在全机构范围内部署人工智能。 2025-05-10

GSA消除了18F 2025-03-03

（评论） 2025-03-03

给美国人民的信 2025-03-02

天气.gov 2.0 2024-03-03

原文

FedRAMP 20x - One Month In and Moving Fast

April 24 | 2025

Exactly one month ago today GSA announced FedRAMP 20x, an initiative to rapidly modernize FedRAMP in continuous collaboration with industry stakeholders and federal agency experts. The concept emphasizes security over compliance and encourages private innovation to provide the solution.

There is a mountain of effort behind the scenes to keep a program like FedRAMP moving forward. We can’t share pre-decisional information or too much detail about administrative procedures, but transparency into our internal activities and operating environment demonstrates our commitment to the goals of FedRAMP 20x and provides insight into how collaboration drives us forward.

Here is a high-level overview of what the FedRAMP team has been up to this month and what we’ll be focusing on next!

Delivering Authorizations

Our review team keeps working through final reviews of third-party assessment organization recommended and agency authorized FedRAMP packages to get secure services into the FedRAMP Marketplace:

Authorized 29 new cloud services (73 total this year), surpassing 400 authorized products
Granted seven new cloud services FedRAMP Ready designations (40 total this year), maintaining a clear queue for readiness assessment reports (RARs)
Recognized two new third party assessment organizations
Listed five new In Process cloud services for Rev 5 Agency Authorizations
Received seven Rev 5 Agency Authorization packages for final review
Cleared our review queue down to 25 packages with eight ready for authorization, the smallest it has been since July of 2022

We are constantly supporting our stakeholders and community:

Responded to 1,265 messages sent to [email protected], including 833 access requests and 208 general questions about FedRAMP
Discussed FedRAMP 20x with over a thousand people at sessions hosted by industry trade groups including the Alliance for Digital Innovation, Cloud Service Providers - Advisory Board, and Business Software Alliance
Launched community working groups, hosted eight public meetings with well over a thousand unique attendees, and participated in 100+ active discussions in the working group discussion forums
Discussed FedRAMP’s progress and goals with minority and majority Congressional committee staff from the House Committee on Oversight and Government Reform and the Senate Committee on Homeland Security & Governmental Affairs
Met with executives and security leaders at DOD, DISA, CISA, VA, HHS, and OMB to discuss changes to FedRAMP
Met with various FedRAMP Board members individually while maintaining communication about the status and progress of changes
Presented to over 75 agency representatives at GSA’s Cloud & Infrastructure Community of Practice to share and collaborate on FedRAMP 20x updates
Presented at the CIO Council’s Analytics Community of Practice meeting on AI safety and performance evaluation
Discussed the future of FedRAMP, cloud security, and delivery in uncertain times with the HHS Administration for Children and Families Tech Team
Reengaged the FedRAMP Agency Liaison community with 85+ federal agencies represented
Supported internal GSA activities to finalize member selection and begin planning for 2025 Federal Security Cloud Advisory Committee meetings
Launched our official FedRAMP LinkedIn account with nearly a half dozen posts so far and growing…be sure to follow us on social media, including X/Twitter and YouTube
Began work on a new prototype web page, including the FedRAMP Marketplace, that is both accessible and modern
Engaged the FedRAMP Technical Advisory Group for continuous support on new initiatives and standards
Supported Federal Acquisition Regulation (FAR) revision initiatives to streamline acquisition regulations

Improving Standards

Every day the team is driving incremental but continuous progress:

Posted three proposed standards for public comment via our FedRAMP Request for Comment process
Determined that FedRAMP authorized cloud services that lose their only agency ATO will maintain FedRAMP authorization under most circumstances
Reviewed hundreds of comments from five outstanding requests for comment and published the resulting outcomes
Improved previous FedRAMP Boundary Guidance to produce a new proposed final standard for defining the boundary of FedRAMP authorizations based on public comment and changes to the operating environment
Developed a new draft standard to address devastating bottlenecks with significant change requests informed by stakeholder feedback and the Rev 5 Continuous Monitoring Working Group
Prepared a draft standard to demonstrate FedRAMP 20x with explicit criteria for achieving an automated FedRAMP Low authorization, informed by the Automating Assessments Working Group discussions
Finalized eligibility criteria for the first 20x pilots informed by stakeholder feedback
Explored leveraging existing industry-standard frameworks to meet FedRAMP 20x requirements in the Applying Existing Frameworks Working Group

Supporting GSA’s AI Priorities

Our small team of data scientists is constantly working to improve FedRAMP’s use of AI tools:

Developed an internal system using GitHub API and GSAi internal tool to review and prioritize GitHub comments, and create executive summaries
Participated in the performance evaluation of the GSAi tool and supporting models
Created GSA’s first living guide for larger-scale code generation for business applications in a safe and systematic manner
Created a lab environment with resources for Generative AI-based learning and prototyping
Created an API-first technology stack supporting near-realtime data activities and integration with modern technologies
Created an ontology and tool to extract structured information from complex scientific papers

Next Month: 20x Phase One Pilot & Continuous Improvement

The FedRAMP 20x Phase One pilot is open to the public:

Qualifying cloud service offerings that successfully complete Phase One will receive a 12-month FedRAMP Low authorization and will be prioritized for FedRAMP Moderate authorization in Phase Two. Federal agency sponsors are not required to participate in Phase One.

Learn more about the FedRAMP 20x Phase One pilot here.

In FedRAMP 20x, Key Security Indicators summarize the security capabilities expected of cloud-native service offerings to meet FedRAMP Low authorization requirements.

RFC-0006 Key Security Indicators proposes initial indicators for the 20x Phase One pilot and is open for public comment through May 25, 2025.

FedRAMP intends to replace the previous Significant Change Request process with an updated Significant Change Notification standard. The update asserts authorizations granted to cloud service providers include the authority to make changes that are in the best interest of agency customers without asking permission from an authorizing official in advance, in most cases.

RFC-0007 Significant Change Notification Standard is open for public comment through May 25, 2025.

Shifting perspectives on what used to be the FedRAMP Boundary:

The FedRAMP Minimum Assessment Scope Standard is an updated approach to determining what is included in a FedRAMP assessment and authorization. The approach avoids unnecessary detail to support FedRAMP’s ongoing shift from compliance-based to security-based decision making and assessment.

RFC-0005 Minimum Assessment Scope Standard is open for public comment through May 25, 2025.

Closing

We’ve done all of this while managing a shifting resource landscape, with the loss of many in our wider community that have been a part of the program for over a decade. As circumstances and priorities change across the government, our attrition rate is lower than anticipated a month ago. We said goodbye to many people this month, including four federal staff and 26 contracted security reviewers who supported FedRAMP for many years and recently completed a record-breaking three month review marathon that exceeded expectations.

Our team still has the right folks to deliver against FedRAMP 20x expectations and will continue to demonstrate our commitment through collaboration with stakeholders and continuous incremental delivery.

To have your voice heard about changes to the program, review and comment on our RFCs, join the discussion in our community working groups, and consider participating in our FedRAMP 20x Phase One pilot.