Finally, a faster FedRAMP?
There have been many goals for the Federal Risk and Authorization Management Program since the concept was first floated in 2010: encouraging cloud adoption; "do once, use many times" efficiency; and trading check-box compliance for ongoing risk management, to name a few.
Quick turnarounds, however, were never on that list.
"We didn't have speed as one of our original goals," FedRAMP Director Matt Goodrich said at a recent event to announce changes in the program. "Sure, we don't want to work on something forever, but we were more concerned with making sure the systems we were authorizing were secured."
That lack of emphasis was apparent even as the number of authorized cloud service providers topped 65 this year. When FedRAMP officially launched in June 2012, officials estimated that approvals would take four to six months. To date, one CSP has completed the process in five months; most take nine to 18 months. Many agencies and CSPs have gone through countless rounds of documentation review, and two years is not unheard of.
The FedRAMP program management office, which is based at the General Services Administration, has worked for years to showcase CSPs that are under review or "FedRAMP Ready" but to limited effect. So on March 28, Goodrich and his team unveiled changes that promise to make the Joint Authorization Board process a far more predictable, three- to six-month affair.
"We will never trade rigor for speed," Goodrich said, but "we do want to see how fast we can make this happen."
Resource constraints have been part of the problem: JAB is staffed by the CIOs from GSA and the departments of Defense and Homeland Security, and until this year, those agencies had no dedicated funding for FedRAMP efforts. What GSA found during discussions with more than 85 stakeholder groups, however, is that the documentation-driven process is the primary culprit.
On the government side, Goodrich said, the FedRAMP team was looking at documentation "to try and understand a CSP's system" and then using that to identify any gaps and instruct the CSP on changes required to provide the needed cloud capabilities.
For the CSPs, however, "you know what the capabilities are," Goodrich said. Providers look at their systems, identify what they need to do to meet federal requirements, implement those changes "and then you document."
The new path to approval
The new approach is all about putting the FedRAMP PMO on the same path that CSPs are using. "We want to understand capabilities upfront, too," Goodrich said. The old approach's emphasis on documentation of "notional systems" often accounted for 70 percent to 80 percent of the total review process, he added. "That's a lot of time to be looking at paper and to not be looking at a system."
Central to the new process is the FedRAMP Readiness Assessment Report — an upfront gap assessment of a cloud service's security that Goodrich said most successful FedRAMP candidates already conduct over a span of a few weeks. CSPs that want to work with JAB will now need a third-party assessment organization, or 3PAO, to conduct that readiness assessment before diving into detailed documentation.
If the 3PAO gives the cloud service passing marks and the PMO agrees, that provider would be declared FedRAMP Ready.
The FedRAMP Ready designation was originally adopted in 2014 because GSA "wanted differentiators to show which vendors were serious about working with the federal government," Goodrich said. The new front-end assessment, however, will make that label "really mean something," he added, and give agencies confidence that the service would be approved for use in relatively short order.
A FedRAMP-ready CSP would be required to complete a full FedRAMP Security Assessment before moving on to JAB for approval. That, too, is a change from the current approach, which often involves multiple rounds of iterative review — each with wait times for the JAB agencies' attention.
Previously, Goodrich said, a full assessment was not required because "it was pretty risky for providers" to make that investment without any certainty they could secure FedRAMP approval. But "the front-end assessment eliminates almost all of that risk," he added, and "we believe it is now reasonable to ask for all this upfront so that we can make the process predictable and certain."
The window for public comment on the plan closed April 29, and the new process is now being tested with three CSPs: Unisys, Microsoft and GSA's own 18F, which is seeking FedRAMP approval for Cloud.gov. Those trials will continue into June, and barring major problems, the new method would then be available for other providers seeking a JAB-issued provisional authority to operate.
Agencies, of course, are able to sponsor their own FedRAMP authorizations as well. The new approach is only for JAB reviews, Goodrich said. Agencies are not required to use the new approach, but he said officials hope they will see the benefits and follow suit.
The third path to FedRAMP approval, however — the so-called CSP Supplied process, where a provider tests and documents without a government sponsor — has been abandoned. CSPs could submit completed packages until April 29 but now must either find an agency sponsor or shift to the new JAB approach.
Does faster equal fixed?
Speed has not been the only friction point for FedRAMP. Vendors have complained, for example, that other common security and privacy standards are not mapped to or recognized by the FedRAMP framework, forcing CSPs to duplicate costly certification efforts. Many agencies have been reluctant to shoulder the authorization burden themselves, adding to the JAB logjam. (That is changing, however; see box on page XX.)
Furthermore, DOD continues to explore changes to its own cloud security approach that builds on, but doesn't always map to, FedRAMP controls.
Nevertheless, Rep. Gerry Connolly (D-Va.), whose district is home to federal contractors large and small, has expressed cautious optimism about the FedRAMP changes. "I think they'd be a good improvement," he told FCW. He described the old FedRAMP process as a "bureaucratic nightmare" — but one that's not necessarily the FedRAMP team's fault.
Agencies, worried about Federal Information Security Management Act compliance, "mucked up the works" by demanding their own reviews, Connolly said. There needs to be more "reciprocity throughout the federal family" on cloud, he argued — something he said demands trust among agencies more than it does any program changes.
Rep. Will Hurd (R-Texas) had a similar take. Agencies' hesitation to embrace cloud frustrated him more than any FedRAMP inefficiencies. "If they have frictions, then we should be able to tweak and improve," Hurd told FCW. But "the idea that an agency is better prepared to defend their digital infrastructure than someone who does this for thousands of clients is still mind-boggling to me."
Connolly said that, for now, he's happy to let the FedRAMP PMO take the lead on reforms. "I think this could be solved administratively," he said, but if feds can't get the system working, he's not afraid to step in.
"This current process is unacceptable," Connolly said. "Congress won't accept it."
Mark Rockwell and Zach Noble contributed to this report.