The General Services Administration’s FedRAMP program is midway through a generational makeover to accelerate the pace of its work in evaluating the security of cloud services used by the government, and Brian Conrad – who ran the program from 2021 to 2024 leading into the current wave of change – is liking what he sees thus far.
Conrad, who moved to cloud security provider Zscaler in 2024 as the company’s director of strategic global compliance initiatives, treated us to a director’s-eye view of the FedRAMP transformation last week just as the program hailed its first four authorizations since launching in March its 20x revamp effort, which is placing a heavy focus on automation to speed the approval process for secure cloud services authorized by the program.
Driving the program change is the Office of Management and Budget’s (OMB) M-24-015 memo issued lest year that provides guidance to overhaul FedRAMP in line with directions from Congress in the FedRAMP Authorization Act approved in late 2022.
Here’s how Conrad is sizing up FedRAMP’s recent progress, along with high hopes for further gains as the overhaul continues.
MeriTalk: We’ve been watching with much interest and reporting on the rollout of the program’s 20x effort. How is Zscaler viewing the 20X progress?
Conrad: Zscaler has always been a very strong supporter of FedRAMP, and we’re actively engaged with the Cloud Service Provider Advisory Board in looking at the direction in which FedRAMP is going. Having been through the process, we’re supportive of the changes that the FedRAMP Program Management Office (PMO) is making in terms of changing the FedRAMP authorization.
MeriTalk: For those of us not quite at the expert level yet, can you break those changes down for us a little bit?
Conrad: People still get confused that there’s an agency Authority to Operate (ATO) that has to be done and a FedRAMP authorization. The excitement around making the FedRAMP part of that more separate and distinct from the agency ATO I think is really helpful.
It will allow cloud providers who don’t have agency partners to get into the marketplace as a FedRAMP authorized service. In total, I think that’s good for industry, that’s good for government, and Zscaler is really supportive of those.
We’re also really supportive of all the post-authorization stuff that comes along with this, such as the significant change notification process. Having a system that has gone through FedRAMP’s legacy JAB [Joint Authorization Board] – any improvement in that process is a win for us.
Because as a commercial entity we have services and changes that we need to make in our system that can’t happen at the speed of government – they have to go at the speed of business and the speed of security.
We know that the government has had their role in this and legacy governance and processes, but we’re very happy to see that FedRAMP is engaging with industry to move the ball forward on those critical things, especially for the post-authorization activities which are going to benefit the entire community.
MeriTalk: Since FedRAMP announced its 20x effort earlier this year, there remains the more traditional Rev5 process where an applicant gets an agency sponsor to work with, and then there is the 20x portion that seems to focus on automation to speed approval processes more generally. What’s your view on progress since then?
Conrad: It’s important to keep in mind that the FedRAMP authorization is different than the ATO that’s required from agencies by FISMA. The OMB FedRAMP memo issued last year gives the FedRAMP PMO the freedom of action to determine what a FedRAMP authorization looks like.
FedRAMP Director Pete Waterman and his team are doing a fantastic job in turning FedRAMP from a compliance program into a security program by looking at key security indicators and how cloud providers can demonstrate those to get a FedRAMP authorization. But ultimately, the agencies still have to evaluate and accept risk on the cloud systems that they use.
And that’s where the ATO comes in, so they are two separate and distinct actions. It certainly helps the agencies along for there to be cloud providers in the marketplace that have FedRAMP authorizations and that have demonstrated the key security indicators and so forth. That will help agency authorizing officials to make their decisions faster, and that enables innovative technologies to get into the government more quickly,
MeriTalk: Can you give us some general thoughts about 20x, how it’s being rolled out, the pace of the effort, and the extraordinary degree of openness with which the program is going about it?
Conrad: I love it from both perspectives of having been in the FedRAMP PMO, and now from my perspective at Zscaler.
I think that Waterman is spot-on having industry do what industry does best and having FedRAMP guide that along and make decisions on how to make that marriage between industry and agencies happen. I think it’s a really great thing to see, and it’s out of necessity for sure.
The PMO is not the size it was – certainly when I was there. And under the constraints and restraints that the PMO has, 20x is leveraging industry more heavily and I think it’s a brilliant idea.
MeriTalk: Again, on the 20x front, the program has laid out a timeline of pilots for low authorizations through later this year, then maybe by the end of December a moderate authorization pilot, and then into the new year some high authorization pilots. As a person who used to run the program, how does a schedule like that seem to you?
Conrad: You have to think about again, they’re making a wholesale change to FedRAMP – it’s not a compliance program anymore, it’s a security program.
From my perspective they are taking the crawl, walk, run approach, learning as they go, and applying the tactics, techniques, and procedures that they need in order to be successful with moderate and high through the low authorization pilots.
It’s a huge effort to undertake and I think they’re doing it very smartly, and again with the interaction of industry and not trying to rush something through that may fall apart eventually.
I see it as a building block approach – here’s what we learned doing the 20x low path, let’s take those lessons and apply them to the moderate, let’s take those lessons and apply them to the high. I think that’s going to be a benefit across the board.
MeriTalk: Another consistent message through some of the 20x working group meetings seems to be watch what we end up liking to see in low pilots, and then in moderate pilots, and maybe you’ll see emerge from that some certainty on what we like and some software and tooling as well. Is that how you are seeing it?
Conrad: Absolutely. Another thing to think about is that the majority of the systems in the marketplace are at the moderate impact level, and there’s not a lot of demand from agencies on low impact level systems. That makes the moderate level the sweet spot where agencies are keeping federal data.
I fully agree with the fact that technology will be made available, systems will be made available. If you think about it, when FedRAMP first started working with NIST to develop the open security controls assessment language (OSCAL) back in 2021 we saw a bunch of GRC tools start implementing the ability to ingest in packages in OSCAL. That’s just a market reaction to the state of being, and I think that’s going to be something that we continue to see. And we’ve seen other firms take that on as these changes to 20x are happening.
MeriTalk: We’ve heard some talk in the market from people who foresee eventually getting authorizations through pretty quickly, and perhaps even into the thousands in terms of total volume. Any thoughts on the realistic likelihood of something that dramatic?
Conrad: I can offer some conjecture. Because of the difference in what a FedRAMP authorization is, because the focus is more on the key security indicators instead of compliance, because the focus is more on security versus compliance, and the implementation of emerging technologies to do that, I think that with those combined you’re going to see orders of magnitude, or at least a large increase.
in FedRAMP’s best year when I was there, we did around 50 and only five or six of those were from the Joint Authorization Board. I think you’re likely to see two or three times that at least in the short term.
MeriTalk: So, pretty impressive results then?
Conrad: And that’s totally within the intent of the OMB FedRAMP memo, where the aim is to increase the marketplace of innovative technology for agencies to use.
FedRAMP has developed a path to get a FedRAMP authorization to get those systems into the marketplace for agencies to choose from, and it’s very much a stated intention behind the OMB memo for FedRAMP to grow, and the legislation behind the OMB memo gives the PMO the opportunity to create authorization paths to support that. I think it’s going to be quite wonderful.
What’s happening in FedRAMP right now is setting it up for the future. This hard work now is going to create that better future and set the program up to be a more recognizable and critical piece of Federal cybersecurity.
This is just the beginning of some really great things.