The GovNavigators Show

Rewriting FedRAMP: Inside the Push to Modernize Federal Cloud Security

Season 4 Episode 151

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 29:25

This week on the GovNavigators Show, Adam and Robert sit down with Ryan Hoesing, Chief of Staff for FedRAMP, and Nicole Thompson, Security Director, for a deep dive into one of the most consequential federal IT programs undergoing transformation today.

Ryan and Nicole walk through the sweeping changes to the FedRAMP program and explain what the new “FedRAMP 20x” approach means for agencies and industry. They unpack the shift from authorization to certification, the move toward continuous and machine-readable security data, and why redefining FedRAMP’s role is critical to making cloud adoption actually work across government.

Show Notes:

What's on the GovNavigators' Radar:

SPEAKER_02

Welcome everyone to the Gov Navigator Show, a government-focused program that won't make you seasick. We're the Gov Navigators. I'm Robert Check. And I'm Adam Hughes. We hope to enlighten and enliven your week with news and insightful, entertaining guests, all on the topic of government management.

SPEAKER_01

Enjoy today's episode of Gov Navigators, brought to you by the creative geniuses behind the award-winning podcast Fedheads.

SPEAKER_02

Well, Robert, I thought we were out of the woods there for a brief period.

SPEAKER_01

Yeah. As we were talking, you were like, oh, we got DHS funded. Well, not so fast. Cooler heads have not currently prevailed. It may be that by the time this actually airs, they could have gotten this all this figure out. But as we speak, the Senate passed DHS appropriations with the exception of ICE. The House was struggling, but it looked like they were gonna take it up and pass it. But not so fast.

SPEAKER_02

Yeah. And it's you know, we've talked a lot on this podcast about the challenge that Speaker Johnson has that the and any speaker would have with only a one or two vote majority. But I we we gotta get past this. I'm upset about something unrelated, therefore I'm not gonna vote for the policy that's in front of me. So so that for the most part, what the Senate passed, everyone agrees to. Everyone thinks it's fine. There's no no one's saying no, we should be able to do that. Chip Roy is worked up. When is Chip Roy not worked out? Anyway, it's an abominable. I think we need to get away from this. Yeah, so it's it's sort of ridiculous, the antics that are going on right now. And again, as people who are regular listeners know for the last couple of episodes, I'm really most concerned because I am flying tomorrow. So I want to make sure I get through security. Once that trip's over, you know, maybe this can go on forever. I don't know.

SPEAKER_01

It's always about you, isn't it?

SPEAKER_02

Kidding, kidding, that's a joke, everyone. All right.

SPEAKER_01

I just did hear an interesting statistic. The government's been partially closed for 20% of the president's second term.

SPEAKER_02

Oh my god. Now I just want to curl up in a ball and never come out of my hands. Not a pretty that is not an impressive statistic. Things may have changed by the time this airs. So we should have that. Yeah, follow the we should have the impure politics thing on you know, this is recorded at this time, and things may have changed. So fingers crossed that they do get it open. The government needs to be open. We can have policy disagreements, but we can't keep like jigsawing people into positions where they can't do their jobs at all.

SPEAKER_01

Things are moving elsewhere. True. President's anti-fraud task force met this week. The vice president's anti-fraud task force. Well, it's the president, the vice president of the chair, but it's the president's. Yeah. So maybe fraud, maybe they'll actually stop some fraud.

SPEAKER_02

Wait, I was like, was it just intros? Did they do like two truths and a lie? What was it? I was not in the room. Okay. So nobody knows how far they've gone. But I mean, we did we have mentioned this too. I think this is a good thing overall. More high-level attention on trying to not just continue the progress that we've made, but accelerate the progress that we've made, I think will help. Cross your fingers. Very good.

SPEAKER_01

Congress is also Congress is also working on legislation in this arena that should move the ball down the field.

SPEAKER_02

Yep. Yep. And we're monitoring that. More to come on that in the next week or two. The judiciary weighed in on the DOD anthropic uh spat and stayed DOD's designation of anthropic as a national security risk to the supply chain.

SPEAKER_01

Because they wrote their opinion with Clawed. They know it's essential. It's actually essential to our national fabric. That's true.

SPEAKER_02

It did come out at the end of the week, so they're probably like, look, I don't want to be working on this over the weekend. So let's accelerate the work on this. So yeah, so obviously that's a win for the company. I also had read an interesting article, I think it was in the Wall Street Journal, about how close DoD and Anthropic were to an agreement before it all broke down. And apparently, even after Hegseth made the announcement that, and the president made the announcement that no one in the government could use it anymore, they were still 98% of the way to an agreement.

SPEAKER_01

Hey ChatGPT, how can I scuttle this deal?

SPEAKER_02

Okay. So we're obviously people are continuing to watch that. I did talk to a few folks at a couple agencies who said that they are working to disentangle themselves because that is the directive. And it is very difficult and complicated. So them getting to an agreement where people can continue to use this is the best outcome. So hopefully they are they will get that last two percent done.

SPEAKER_01

One last thing an executive order issued that requires federal contractors to adopt a provision in their contracts certifying that they do not engage in racially discriminatory DEI activities. I feel like I've seen this movie before. Yeah, well, now you'll see it in every contract clause, in every federal contract. And their subcontractors. No, seriously, didn't they already do this?

SPEAKER_02

Wasn't this done like a year ago? No, it's an executive order. Oh, okay. Well, more contracting clauses. The FAR continues to expand after they trimmed it down nicely. I see. Okay. All right. So we're excited about our guests this week. We've talked a lot about FedRAMP in the last year. There's been boatloads of activity, work, great work that's being done to improve the program. And you're going to get to hear from a couple of people who have been making that work happen. We guarantee it's going to be fun. Robert, we're pulling back one of the hardest working teams in government to talk with us today. And I'm excited to get an update. Ryan Hazing, who's the chief of staff to the FedRamp program, and Nicole Thompson, who's the security director at FedRamp, are here to tell us about the plethora of activity that they have been pushing out through this program. And really, I guess it's the last year. Have you guys have you lost count of how long you've been pushing out frequent updates and asking for tons of comments from the community?

SPEAKER_00

Feels like it's been 10 years. And sometimes that it's only been 10 days.

SPEAKER_02

So spot on. It's been the year has gone by very quickly, but yet it seems like it has gone on forever. So well, before we jump into the nitty-gritty on FedRamp, tell us a little bit about each of you. How did you end up at the FedRamp program? Talk a little bit about your career before that and how you ended up in public service. Ryan, why don't you jump in first? Cool. Yeah. So I've been around here at GSA for quite some time. I started at GSA in 2014 after serving in the Peace Corps in Benin, West Africa. I was doing community economic development over there. Didn't know what I was going to do after the Peace Corps and actually was able to connect with somebody who worked at GSA. Said they were hiring a position in at the time what was the Office of Citizen Service and Innovative Technologies. And that office actually housed FedRamp. And so my initial role, the first couple of years, I served as a executive assistant for the SES who was running that office. And then Steve McClear at the time, right? Was Dave running it then? Dave was just out. It was Kathy. Yeah. Kathy Conren was in um Beer Shrooms. Yep. Yep. So she she was. I served under her as her EA. And then we actually around that same time was when ETF just was stood up and TTS was not even alive yet. TTS was something that they were talking about becoming a third service for GSA to sit kind of next to PBS and FAS. And so they took over the chief customer officer, Federa Crusos, and I moved over and served under her and did that for another year. And you know, I got to learn a lot of ins and outs of how the C-suite worked at GSA, but I really wanted to be more of a contributor to a program. And FedRamp just kept come, keep it continuously came up. Everything, FedRamp was the shiny object. And I was like, I kind of want to work on this FedRAMP program. So I talked to the director at the time, Matt Goodrich, and he pulled me over to do kind of business development, help out with the agency authorization process. And I've been here eight years in various roles, seen a lot of change with the program. The last year, probably the most change we've seen since I've been with the program. And it's been a really cool ride. I'm happy, you know, to have people like Nicole join. We had a bunch of folks join from outside of GSA, and it's given us a really new perspective on how to look at things and really excited where we're going with the program. All right, Nicole, you're up. I'm hoping this involves something about losing the barbed or something, is how you ended up at GSA. So don't let me down.

SPEAKER_00

Close, but not quite. I actually started cybersecurity as kind of a hobby interest. I was always curious how things worked from, you know, back when I was a middle schooler. And my dad took me to the ham radio conventions, bought me the build your own AM radio kit, so learned how to solder electronics and all of that. So I was always kind of a builder and a tinker. And so made my way through college, got a computer science degree, and managed to convince the engineering department to let me take some of the engineering classes as well without taking the full list of prerequisites that they needed. And from there, just kind of jumped into a civilian career in the Navy, helping them do some of the hardware software integration over there. Eventually branched into helping them start the aviation red team where we were taking a look at attacking airplanes, avionics, all sorts of crazy things. That experience really started shaping my opinion of formal risk management programs, mostly for the negative, because most of the systems that we were going after had already been through a risk management program and were managed by risk management programs. And yet their security controls were woefully inadequate. From there, I took a few hops around, but ended up in the Defense Digital Service up at the Pentagon, kind of pushing the boundaries of how we can innovate in government and bring technical expertise to make meaningful change in the Department of Defense at the time. I worked really closely with the Hack the Pentagon program, where we were implementing bug bounties across the Department of Defense and kind of introducing new ways of testing security of programs. From there, FedRAMP actually asked me to serve on their technical advisory board to be part of the technical expertise that guided the program. And then when Pete took over as director, one of the first things he also did was start looking for a security director. And so he let the technical advisory group know that he was about to put out that position and encouraged us to apply. And I saw how excited the digital services community was to have Pete leading a program like FedRAMP. And I was excited to get to know Pete a little bit better. So I threw my name in the hat and somehow wound up over here.

SPEAKER_01

Somehow. Sounds like the perfect spot. And what a great story. A soldering iron. The you know, first of all, not every acronym is created equal, but y'all have a pretty cool one. Tell us what does FedRAMP stand for? And give us a little play-by-play of what the last year has involved in the evolution of the program. Who wants to go?

SPEAKER_02

I'll talk about what FedRAMP stands for, Cole. You take an easy one, Ryan. I like that. Yeah, take the easy part of it. Yeah. I mean, I can provide some input on la last year, but FedRamp itself is the federal risk authorization and management program. And for those who are listening and don't know, it originally came out of a OMB policy memo written in 2011. Yeah. Don't ever tell the OMB guy that OMB is the center of the universe. Yeah. So it's been around for a while, but that policy memo written in 2011 hadn't been updated for almost 10 years. So FedRAMP was moving along, plugging along, following the guidance that was outlaid in that policy memo. And it wasn't until 2023 that the National Defense Authorization Act actually was passed, which codified FedRAMP into law. As it was a policy memo, it became a law. And within that law, it actually required OMB to rewrite a policy memo, which was M2415. For those following along, 24 is the year. No, Ryan, you're at the you're at the upper echelon of guests now, having dropped an M memo number. That's oh okay.

SPEAKER_01

I think understanding the numbering system of memos of OMB is sort of it's like a the cost of entry to the podcast. So you have to it gives you a little test and then the then you can log on.

SPEAKER_02

Just use that when you come to the Gov Navigator speakeasy, use that. It gets you right in. You go to the front of the line.

SPEAKER_01

Yeah.

SPEAKER_02

I'm with M2415. Yeah.

SPEAKER_01

Extra credit if it's 02 to 08.

SPEAKER_02

So so those the the law with the policy memo required a lot of changes in FedRamp. And it hasn't been until this last year where we've really been able to dig down and make some of those changes. And we're still doing it today. I'll let Nicole talk about the last year a little bit more, but we are looking in the May-June timeframe to release our consolidated rules for 2026. And that's going to take kind of everything we did this past year and consolidate and put it out there and let it sit because I know for folks following along, there have been a lot of changes. We're up to our 24th RFC about to release our 25th, which is a request for comment. And that was something mandated by the law. Nicole, do you want to talk on 20X and some of the things we did, maybe?

SPEAKER_00

Yeah, sure. The past year has been really an accelerated time frame of refactoring FedRAMP to align more closely to the OMB memo and to the FedRamp Authorization Act. The OMB memo identified several very common complaints about FedRamp, about how FedRamp was implemented across agencies within the government, and charged the FedRAMP program office with going out and correcting some of the honestly. One of my memorable moments before I even thought about joining FedRAMP was attending ShmooCon in DC, as DC's, you know, premier security conference. May it rest in peace. Yeah.

SPEAKER_02

I was like, well, I almost went one year and then I didn't. And then I was like, wait, what happened to it? I was like, I can't hang with actual people that work in cybersecurity. I don't speak cybersecurity, so I can't do any of it. But anyway, sorry, keep going, Nicole.

SPEAKER_00

But I attended a talk that was basically half an hour of everything that is wrong with FedRamp and why it completely misses the mark. And so that that was also kind of at the top of my mind when we were coming in and reframing FedRAM to align more closely with some of the memos and the law that had come out. And it also has been a year of correcting a lot of misconceptions about what FedRamp was designed to be. So 20X is about changing the perception of FedRAMP from being a program that guarantees that a cloud service provider meets a minimum bar of security and therefore is acceptable for use within the federal government, and changes the concept of FedRAMP into we are assembling a security package that has enough information in it for an agency authorization official to make an authorization decision based on that package. And every agency is going to be different based on their mission needs, what risk they're willing to accept. But FedRAMP's commitment is that we will assemble a package that has the data that you need to make an authorization decision. We're also doing a few other notable things like changing significant change requests over to significant change notifications so that the government can get out of the way of cloud service providers innovating over their own platform. Some of the other things that we're doing are really encouraging cloud service providers to stop creating separate federal tenants just for the federal government. We really want to more closely align with commercial security practices so that we can just use the native commercial cloud instead of spinning out federal tenants that often have feature disparities between the commercial and the federal tenants. Those are a few of the things that we've been doing, but a lot of flurry of activity and the move from Rev5 to 20X has been really focused on getting machine readable data that is continuously updated over the course of the year in near real time so that you're not relying on annual authorization packages that are updated.

SPEAKER_02

Submissions and approvals, right? Right. Yeah, right.

unknown

Yeah.

SPEAKER_02

So I mean, I've watched what you guys have done. I think my perception is that there's a lot of excitement in industry about the changes that you're making, even though anytime you change something in government, anytime you move somebody's cheese, they get pissed, right? I get that. And it's interesting too to hear you talk about like a lot of what you're trying to do as a messaging, like a change management process that actually has nothing to do with the technical aspects of FedRAMP and PSMA and cybersecurity. Because we struggled for so long. I was at GSA from 2012 to 2016 for so long to get agencies to accept FedRAMP approved cloud providers. You don't need to do at the beginning, at least, you don't need to do an ATO. You don't need to approve, it's already approved, it's ready for use. We've done the work for you. Never caught on, never got past internal agency review and risk management processes. So real acknowledging reality, I think, is such a strong way to improve programs, right? This, yes, sure, it says it. This is what we're supposed to do. This is the way we've always done it, but it doesn't actually work. So I'd love to hear from each of you about that part of it first and how are agencies receiving this, the change in messaging, the reformatting of what FedRamp is trying to achieve. And is that was that has that been a smooth process? Are you hearing from them? We don't need to name anybody, but like the same sorts of excitements around we're trying to make this work for you.

SPEAKER_00

Yeah, I think it's important to acknowledge that there was this idealized perception of FedRAMP that FedRAMP could accept risk on behalf of the entire federal government. And that's just not a realistic expectation because every agency has the responsibility to own their own risk and their own mission requirements. And because every agency is different, FedRAMP was set up to fail from the very beginning if its mission were truly to be the one place in government that can accept the risk of using a cloud service provider. So by acknowledging that and correcting that misconception and really clarifying FedRAMP's goals, I think it provides us an easy way to move forward from now on, empowering agencies and giving them the tools that they need from a centralized place like FedRAMP, and then giving agencies the ability to go out and make their own risk decisions from that.

SPEAKER_02

Ryan, did you want to add anything on that? Yeah, I mean, that is one of the misconceptions that I've seen working at FedRamp for many years is you know, we've had previous folks working here in say FedRAMP's, you know, your easy button. You it gets FedRamp authorized, you can use it. There's some truth to that, but the reality is, as Nicole said, every agency makes their own risk decision. And what may be good for GSA, you know, we have a bunch of or we have a spreadsheet or a system that's tracking a bunch of pencils, GSA is going to authorize that at low. If we have a system that DOD is using to track missiles, tomahawk missiles, that's a different risk factor if that system is compromised. It may be the same system, but they may want that system compromised or authorized at high. So they may even want to do that to track pencils, they may make a different risk decision on the same exact product, right? Yeah. Yeah. And but the this is really, you know, what it comes down to is every agency needs to issue an authorization for their own use at their agency. And that I want to make that very clear. And that's even in the law. The law actually mandates that federal agencies send their ATO letters to the GSA administrator delegated down to the FedRAMP director, so we can track those ATOs and understand return on investment on how many systems are used in the government. And this whole idea of do once use many, that is true. They're doing one security assessment that is then used by every agency to make their own risk based decision. They're not doing, we're not doing one authorization that is used by everybody. And I think you'll see this in the coming year. We recently had an RFC out, believe it was 24, and Nicole maybe can keep me honest. There's a lot of them. But the crux of Nicole is furious. Scrambling to look up whether the number is correct.

SPEAKER_00

Put out so many, it's hard to keep track.

SPEAKER_02

The crux is we're changing FedRAMP authorization to FedRAMP certification. And part of that is because of the misnomer and agencies thinking, oh, it's FedRamp authorized. I'll just use it. Now it's FedRAMP certified. You need to go and issue your own authorization. That's been for 10 years an issue we've been trying to solve. And words really matter because when agencies come and just start using a product, they're not configuring it proper. If they're not configuring it properly, that's how you see security vulnerability, security risks happen.

SPEAKER_00

FedRAMP also assesses the package and provides a review summary that highlights some of the common risks that we see in the package so that it helps agencies kickstart their authorization process by identifying some of the higher risk parts of the package that we have noticed. That's somewhere that FedRAMP really helps agencies at least get a little bit of a leg up in the authorization process. But then you also asked about what agency reactions have been to some of this. And I think it's very fair that some agencies have had some trepidation about the amount of changes that we're making and how quickly the changes are being propagated. But we've been very transparent about running pilots, iterating on change, accepting feedback, publishing RFCs to transparently announce our intentions of where we're taking the program. And for the agencies who have hopped on board to some of the pilot projects that we've been doing and participating in the open betas of things like the significant change notification process, the feedback that we've gotten has been overwhelmingly positive, both from industry and from agencies.

SPEAKER_02

Yeah. What Nicole is actually talking about is something that I'm extremely passionate about. And it's our balance improvement releases. And those are specifically updates to the old traditional Rev5 authorization process. So while we've built this awesome new process in 20x, we're also taking the best things we're learning from that and taking them over to the Rev5 process. So there's incremental change for agencies that are using that process to get to a better outcome in security.

SPEAKER_01

So we're about out of time. It's a weird business you're in, right? To to if you're successful, nothing happens. How do you measure the impact of what you're doing? I'll take a stab at that one first.

SPEAKER_02

You know, one of the things this administration has been clear on is they want to bring innovative, modern solutions to the government. And so FedRamp has really focused this last year on doing that with the 20x process, making it easier without doing anything that is detrimental to the security aspect for companies to come in and sell their products and become FedRamp authorized. We had 25 vendors come through the 20x process. We've worked with the FedRAMP board to prioritize AI vendors to come through. And we're not doing that in a vacuum. We're doing it all in the open. We're working with agencies. So from if you look at this past year, I would just say the measure of success was the amount of FedRAMP authorizations we have done. That gives more tools to agencies to use. It's then up to the agencies to pick up those tools, look at the security, and make that risk-based decision on whether or not they're comfortable with the risk posture of those tools.

SPEAKER_01

That's great. Well, congratulations for that. Congratulations for all the reform you're undertaking. And grateful to you both for spending some time with us.

SPEAKER_00

Thank you so much for having us. Yeah.

SPEAKER_01

Thank you guys.

SPEAKER_02

So that was fantastic. I love chatting with folks who are really making progress on improving the management functions in the federal government. And helps you sleep better. Really does. Yeah. So you're out all week. All week, you know, the first of many Adam Hughes sponsored Gov Navigator Vacations in 2026.

SPEAKER_01

Where are you going?

SPEAKER_02

We're gonna we'll be in Florida a couple days in Disney and then go and see my brother in West Palm Beach at what Molly calls the old people's home. It's my daughter. It's a country club, and yes, my brother is probably the youngest person who's a member there, but we're trying to keep her, particularly when you're there. You don't really want that language to get out. Like, oh, this is a great old people's home. Yeah, let's put a lid on that. Yeah, we'll be down in Florida for the whole week. Yeah. Oh, it's the I'm looking forward to it. It's delightful. It's a really nice place. So you're going on a speaker circuit.

SPEAKER_01

You know, the Oracle Federal Forum is Tuesday exploring innovation, security, and cloud solutions tailored for the federal government. So I hope folks will register for that. Yeah. And then speaking. I'm speaking. Yep. It's like three o'clock. So even if you just come for that session. Yes. You're gonna be on, you're hanging out with our friend Francis Rose, too. Francis Rose. I'll be on Sunday morning at 10. So everybody should be watching FedGup today, Sunday at 10. I honestly I think I'll be at the airport, so I might tune into that.

SPEAKER_02

It'll probably be on the TVs at the I think it will. Yeah. Palm Beach. At a small airport in West Palm Beach. Yeah, it definitely will be on there. Also coming up next week, Act IAC has their contact center summit. That's that's like for your eyes. Yeah, yeah. I think they gave me a free eye exam with a registration, so you should check that out. No, this is like contact centers like for customer support to resolve your issues. So it's I see delivering a modern experience through innovative contact centers. That's Wednesday, the 8th, 8 45 to 3 30 at the Kerasoft Collaboration Center. Wouldn't it be funny it was just a meeting of bots? Would you like to talk to a real person here? Please press zero. No, but if you're like looking to make good jokes about the Actia Contact Center Summit, you should register and go. I think it'll be good. Have a great trip.

SPEAKER_01

See you when you get back. Thanks.

SPEAKER_02

Thanks for listening to another episode of the Gov Navigator Show, brought to you by GovNavigators.

SPEAKER_01

We sure hope you enjoyed it and learned something in the process and didn't get seasick. Right, of course.

SPEAKER_02

If you want to know more about us and what we're up to, please follow us on social media or visit govnavigators.com. Ahoy!