The Federal Risk and Authorization Management Program (FedRAMP) office may begin offering hands-on training for federal security officials.
Leaders from the General Services Administration-based office, which is in charge of governmentwide cloud security compliance, floated the idea during a panel appearance at the Cloud Security Alliance’s federal summit Tuesday afternoon.
“We’re going to start bringing security officers into our office, give them some training on FedRAMP, radicalize them to our methodologies…” Zach Baldwin, program manager at FedRAMP, said to laughter in the room. “My wife is a terrorism analyst,” he responded, explaining his “inappropriate” word choice.
Selected security officers would “work through a FedRAMP [authority to operate] project” and then be sent back to their respective agencies, he went on. The initiative would be a “grassroots effort” to “get the FedRAMP way out there.”
The concept bears some resemblance to existing federal training and knowledge-sharing programs.
At the Defense Innovation Unit in Silicon Valley, there’s HACQer, an immersive bootcamp that gives acquisition officials from across the Department of Defense a crash course in the way DIU uses its other transaction agreement (OTA) authority to do iterative contracting. The program, which was first launched in Spring 2018, recently chose its 2019 cohort.
It’s unclear how developed the idea for a FedRAMP training program is. FedScoop has reached out to GSA for further details.
FedRAMP currently offers a number of DIY online training opportunities that aim to “provide all stakeholders with a deeper understanding of FedRAMP and the level of effort that is required to successfully complete a FedRAMP assessment.” These trainings are targeted at cloud service providers and Third Party Assessment Organizations.
A recent report by GSA’s inspector general found that FedRAMP’s program office “has not established an adequate structure comprising its mission, goals, and objectives for assisting the federal government with the adoption of secure cloud services.” This lack of a clear and concise mission, the IG argues, means the office can’t really assess its own effectiveness.