Cloud

FedRAMP trimming approval time, officials say

Shutterstock image: Cloud concept. 

The time needed for cloud services to receive authorization under the Federal Risk Authorization and Management Program has been significantly shortened thanks to the FedRAMP Accelerated process.

At the Amazon Web Services Summit on June 14, FedRAMP Program Manager for Cybersecurity Claudio Belloli said the approval process, which originally required up to 24 months, has now been reduced to about four while maintaining the same rigor.

The four-month authorization process is shorter than even the estimated six months reported in May by the cybersecurity management and compliance firm Coalfire, though it does not quite reach the three-month goal that was floated when FedRAMP Accelerated was unveiled last year.

For cloud service providers to gain authorities to operate, there are two avenues: they can either deal directly with agencies or apply to the Joint Authorization Board, a team comprised of the CIOs from General Services Administration and the Departments of Defense and Homeland Security.

Because the JAB can only handle about 12-14 cases a year prioritized "based on demand," FedRAMP evangelist Ashley Mahan said that "it makes so much more sense" for most cloud service providers to work directly with a sponsoring agency, then undergo an expedited two-week final review from the FedRAMP program management office.

According to the May report, the cost of securing a FedRAMP authorization recently has averaged between $350,000 to $865,000. However, Mahan said the program office is currently "working on new material about what those updated costs are." She noted that the price tag will ultimately depend on "a number of factors," including the provider's knowledge of FedRAMP requirements and documentation procedures.

Although FedRAMP certification has been required required for virtually all cloud services used in the federal government since June 2014, Mahan acknowledged that some agencies still ask to work outside the FedRAMP framework. The CoalFire report estimated that 60 percent of agencies do not yet participate in the program.

"It absolutely is very frustrating for me," Mahan said.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.