A GSA spokesperson said in an email to Federal News Network, “GSA will have interim leadership set up in the near future and we’re building a strong leadership team to support FedRAMP.”
It’s also unclear who will step into the acting director role at FedRAMP once Conrad leaves. GSA recently hired Eric Mill as the director of cloud strategy that includes oversight of FedRAMP and other security programs.
GSA has not had a permanent FedRAMP director since Ashley Mahan left in January 2021 to become acting assistant commissioner for solutions in GSA’s Technology Transformation Service. Mahan now works as a policy analyst in the Office of the Federal Chief Information Officer in the Office of Management and Budget.
“Last year, Brian managed the development and launch of the redesigned FedRAMP marketplace, as well as leading the PMO’s efforts in establishing the Federal Secure Cloud Advisory Committee, as required in the FedRAMP Authorization Act,” wrote Mukunda Penugonde, deputy director of TTS in an email to staff. “Under Brian’s stewardship, FedRAMP experienced a 30% increase in the number of secure cloud services available to the government. Brian has been instrumental in attracting talent, with a diverse set of skills, who are critical to the continued growth and modernization of the program over the long term.”
Over the last three years, Conrad has led the cloud security program through significant changes, including the initial implementation of the FedRAMP Authorization Act, signed by President Joe Biden into law in December 2022.
OMB released draft updated guidance for FedRAMP in October with a focus on software-as-a-service and changing the oversight of the program. Among the changes in the works is a new emerging technology framework to help prioritize artificial intelligence and large language model (LLM) capabilities in the cloud, new penetration testing guidance and updates from NIST 800-53, Rev. 5.
Conrad has overseen the growth of the FedRAMP office, which now has more than five full time staff members. He said at the ATARC CIO Summit in December that he expects the program office staff to continue to grow in 2024 and beyond.
“We’ve been listening to industry feedback and input on FedRAMP as we continue to build an overall strong FedRAMP team. We look forward to seeing continued growth and progress on FedRAMP,” said Ann Lewis, the TTS director in an email to Federal News Network.
The number of cloud service providers under FedRAMP also grew over the last three years from around 100 in 2018 to 328 today.
FedRAMP RFQ is out
With all this growth, brings a host of new challenges for FedRAMP.
Most recently, Conrad led the effort to bring more modernization to the program. GSA recently released a request for quote through the e-Buy platform for a governance, risk and compliance (GRC) solution.
GSA said in a release the GRC tool will:
Shift from documentation to machine readable, OSCAL-based data
Provide application programming interfaces (APIs) facilitating system to system integration with our stakeholder community
Include outreach, training, tooling and technical support to ease onboarding cloud service providers(CSPs), agencies and third party assessment organizations (3PAOs) to the solution
Refactor processes to leverage our new capabilities to improve and streamline the stakeholder experience
Bids are due March 21.
“FedRAMP has been making progress towards its goal of automating the Joint Authorization Board (JAB) and agency authorizations. During various pilot programs, they have successfully accepted ATO packages using the Open Security Controls Assessment Language (OSCAL),” said Valinder Mangat, chief innovation officer at DRTConfidence, in an email to Federal News Network. “FedRAMP’s commitment to automation is reinforced with the latest RFQ for acquiring a GRC platform, enabling CSPs to submit OSCAL-based ATO packages within 120 days of the award. As a member of FedRAMP’s early adopter program, we are excited about this initiative and OSCAL becoming a machine-readable medium for ATO package submission.”
Conrad said at the ATARC event in December that FedRAMP has been working with the National Institute of Standards and Technology to develop the approach to use OSCAL for several years to help make authorizations get through the process faster but not lose any security rigor.
“We have to make sure authorization packages are of sufficient quality. After 10 years that’s still an issue,” he said. “We want to make sure when packages come in we can leverage automation to do automated validations. We are leveraging OSCAL to do this. We are very excited about automating not just assessment processes, but seeing what we can do to help agency authorizing officials get them vulnerability information or information about cloud providers so they can make decisions more quickly.”
Improving agency authorizations
At the same time, Conrad has been focused on improving the program’s processes. He said back in December that the PMO is doing an internal study looking at the agency authorization process to determine how to make that effort more efficient and effective.
“We made improvements over the years, but there hasn’t been any wholesale changes,” he said. “The way agencies get cloud services authorized today has been basically the same as it has been for years. We are now embarking down the road to see how we can do that better. We are looking at processes too as we bring in new technology to optimize the processes before we introduce new technology.”
Another priority area Conrad has been focused on is improving how cloud providers and agencies can use continuous monitoring to ensure the cloud services are meeting cybersecurity standards.
“It’s been a challenge to make sure the agency authorizing officials are on the same page with the cloud service providers. We want to make sure they have same information so the decision making processes are informed,” he said. “We have undertaken establishing a continuous monitoring lane. This is a net new capability in the PMO that we are developing and establishing to make sure correct amount of oversight and cloud services providers provide the same information.”
Before joining GSA and FedRAMP, Conrad was an officer in the Marines Corps where he worked the Marines Systems Command, the Marines Corps College of Distance Education and several other commands. After retiring from the Marines Corps, Conrad worked at Booz Allen Hamilton before coming back to federal service.