April 1, 2025
Subscribe and listen anytime on Apple Podcasts, Spotify, or at FedGovToday.com.
Former Acting FedRAMP Director at the General Services Administration (GSA), Brian Conrad, shares his perspective on the changes coming to the FedRAMP program and
what they mean for both government agencies and cloud service providers. Drawing on his experience leading the program, Brian outlines key challenges that have shaped FedRAMP’s evolution and offers insight into how the new direction aims to resolve them.
A central theme in Brian’s remarks is the increased collaboration between industry and government. He emphasizes the value of bringing cloud providers into the conversation to develop solutions that serve both the needs of agencies and the private sector. With nearly 400 providers in the FedRAMP Marketplace, Brian notes there’s a wealth of innovation happening on the industry side. The new push toward working groups and shared problem-solving reflects a growing recognition that better outcomes come from working together.
Brian identifies several persistent pain points that providers brought to his attention during his time at FedRAMP. Chief among them is the difficulty of finding an initial agency sponsor — a necessary step in the current process for FedRAMP authorization. He describes this as a classic “chicken-and-egg” dilemma: companies need FedRAMP approval to secure contracts, but can’t get approval without an agency partner. He’s encouraged by current FedRAMP leadership’s plans to eventually allow companies to move through the process without that initial sponsorship, a change that could dramatically open up the market.
Another significant challenge Brian discusses is continuous monitoring — the ongoing requirement for cloud providers to demonstrate that they’re maintaining security standards. While the FedRAMP PMO has made strides in coordinating this process across multiple agency authorizations, Brian sees real promise in automation. He points to the potential of emerging technologies to ease the burden on providers while giving authorizing officials more timely and actionable data. He doesn’t label it AI specifically, but he supports the idea that tech should be used to do what it does best — streamline repetitive tasks — while humans focus on risk-based decision-making.
Brian also touches on the alignment between FedRAMP and state-level efforts like GovRAMP. He highlights GovRAMP’s success in helping states harmonize requirements, such as through the release of a Criminal Justice Information System overlay in partnership with DOJ. He believes there’s room for productive collaboration between the federal and state systems, particularly as demand for secure cloud services grows across all levels of government.
Ultimately, Brian says the true measure of success for the updated FedRAMP program goes beyond process improvements. While reducing the authorization backlog, increasing competition, and speeding up approvals are all important goals, the core mission remains clear: ensuring that federal data is truly secure. Every innovation, policy change, and new initiative should support that outcome. For Brian, the program’s legitimacy and impact rest on its ability to deliver real, verifiable security — and he believes the coming changes have the potential to do just that.
Please fill out the requested information below