Fixing FedRAMP: How Automation Cuts ATO Time by 36 Weeks

Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/

Want to listen to other episodes? www.Federaltechpodcast.com

Way back in 2011, one of the goals of FedRAMP was to eliminate software redundancy. The federal government had evolved to the point where one agency would spend millions of dollars on the same application program that the agency in the same zip code had just invested heavily in.

The theory proposed by luminaries like Vivek Kundra was to move to the cloud to share services. Reducing cost and improving resilience. FedRAMP was the initiative that established a safe environment for federal cloud use. Companies can comply with regulations outlined in an Authorization to Operate (ATO).

Well, fifteen years later, and we are seeing the same duplication not in the application programs, but in the process to get the ATO itself.

For example, FedRAMP, RMF, and agency internal policies may require specific artifacts to satisfy one or the other.

During the interview, Travis Howerton paints the legacy model—static documentation, annual/3-year audits, spreadsheets. His solution is to have AI assist with documentation, which will drastically reduce compliance time; he cites an example of reducing a process from 52 weeks to 356 weeks.

RegScale uses OSCAL (XML/YAML/JSON) to auto-generate RMF artifacts and integrate with SIEMs (Splunk, Elastic), Axonius, ServiceNow, and APIs.

Howerton understands the limitations of many automated systems and suggests that a human is a key component after the machine language has assembled the data to make the decision.