Cloud

FedRAMP wants to overhaul cloud authorizations

Shutterstock image: Cloud concept.

The Federal Risk and Authorization Management Program is postponing the launch of its high baseline standards while it tries to speed its sluggish authorization process.

When FedRAMP started vetting cloud providers in 2012, authorizations were typically issued in six months, but "now, all of a sudden, they're taking 12 to 18 months," FedRAMP Director Matt Goodrich said at a Feb. 24 event sponsored by Adobe and FedScoop. "That's not where we want to be."

FedRAMP has been expanding and onboarding more cloud service providers (CSPs) and third-party assessment organizations than ever, Goodrich added.

To better handle the workload, he said he and his team have been meeting with stakeholders and hearing the same basic message: Agencies are only interested in whether CSPs can serve their needs and whether they're "not risky."

Goodrich said he'll soon test a redesign of the authorization process that will focus on CSPs' actual capabilities rather than documentation.

"I believe [the changes] will make every authorization happen in less than six months," he said.

Given the focus on the authorization process, the launch of FedRAMP's high baseline standards for more sensitive data has been delayed.

Last month, Goodrich said the standards could be released by February, but on Feb. 24, he told FCW they wouldn't be out for "the next month or two."

In addition to prioritizing streamlining the authorization process over finishing the high standards, there have been some thorny security issues to resolve with the Defense Department.

"[It's] nothing dramatic, just sort of the bureaucracy," Goodrich said. He also promised a six-month FedRAMP update within the next two weeks. In a subsequent message to FCW, Goodrich emphasized that the pace is less an issue of red tape and more an issue of getting things right.

"The reason we've delayed is to align with the authorizations we're piloting at the high baseline as well as make sure we can align as closely with the DOD levels," Goodrich said.

This story was updated Feb. 25 with clarifying comment from Matt Goodrich.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.