Update 2024-03-28-a-new-roadmap-for-fedramp.md

_posts/2024-03-28-a-new-roadmap-for-fedramp.md

@@ -16,13 +16,13 @@ Today, what federal agencies need from FedRAMP is not only computing infrastruct
 
 While SaaS applications are used in government, and FedRAMP does have some in its marketplace, it’s not nearly enough and it’s not working the way that it should. We know that for many companies, especially software-focused companies, it takes too much time and money to get a FedRAMP authorization. And we’re particularly cognizant that we need to scale and automate our own processes beyond where they’re at now if we want to meaningfully grow the FedRAMP marketplace. 
 
-Our roadmap lays out our 4 primary goals:
+<h4>Our roadmap lays out our 4 primary goals</h4>:
 - <b>Orienting around the customer experience</b>. We’ll simplify the process for cloud providers, and make the results more useful for agencies. As we do that, we want our conception of how much time and money it costs to go through FedRAMP to match our customers’ lived experience as closely as possible.
 - <b>Cybersecurity leadership</b>. FedRAMP is a security and risk management program. We’ll make our security expectations clearer and more consistent for every kind of FedRAMP authorization. At the same time, we’ll start and continue updating FedRAMP policies to make sure a too-rigid approach doesn’t get in the way of real-world security.
 - <b>Scaling a trusted marketplace</b>. We’ll develop clear processes with trusted authorizing partners that cut down on unnecessary reviews at GSA. At the same time, FedRAMP will centrally take on more post-authorization monitoring and automate as much of it as possible.
 - <b>Smarter, technology-forward operations</b>. We’ll build a data-first, API-first foundation for FedRAMP by putting the tools, specs, and services in place to create and share digital authorization packages and other information.
 
-Our roadmap contains some specific initiatives we’re undertaking to make concrete progress against these goals: 
+<h4>Our roadmap contains some specific initiatives we’re undertaking to make concrete progress against these goals</h4>: 
 1. <b>An agile approach to change management</b>. FedRAMP needs to enable agile software delivery of security improvements and other features. To do this, we plan to replace the “significant change request” process with an approach that does not require advance approval for each change. We’ll start by piloting a new process with interested authorized cloud providers, and use the pilot to finalize broader guidance. 
 2. <b>Publish new, customer-oriented program metrics</b>. If we are going to impact the cost of FedRAMP and how long it takes to get and stay authorized, we need a better way to measure those things, informed by what our customers are actually experiencing. Likewise, we need to refine our understanding of our agencies' customers' experience and focus on ensuring they can efficiently and securely leverage cloud services to meet their mission needs. We plan to survey customers about their experience, soon and at a regular cadence, and to update FedRAMP’s formal performance metrics based on this survey to align with customer outcomes.
 3. <b>Define FedRAMP’s core security expectations</b>. A central challenge of FedRAMP is to accommodate varying risk tolerances across agencies, while still setting a high enough bar for its authorizations to broadly support agency reuse without additional work. We plan to make progress here by more clearly defining the outcomes we expect all types of authorizations to meet. We will also work closely with CISA to develop and deploy the best protections for and minimize the risk to the federal enterprise. By combiningpartnering this with more public documentation and examples of how cloud providers meet FedRAMP’s security goals, we can also streamline the authorization process overall.