An open source approach to FedRAMP

A presentation at Carahsoft FedRAMP Forum in in Washington, DC, USA by Shawn Wells

Recent news headlines include how GSA took their ATO process from 6 months to 30 days, the Navy’s “Compile to Combat in 24 hours” capability, or how ORock achieved FedRAMP Moderate in three months.

These rapid ATO success stories sharply contrast to opinions that FedRAMP, FISMA, and broader initiatives like Controlled Unclassified Information (CUI) slow down innovation.

Via NIST 800-53 the U.S. Government created a security control catalog. Could a <i>response catalog be created, sharing prepopulated answers for common technologies like operating systems and container platforms? If we could create a control response catalog, could deployment-specific ATO materials be dynamically generated?

This talk steps through a joint industry/government initiative called OpenControl, which in partnership with GSA and NIST, is working to automate much of the ATO process.

Conference slides also available at