GSA to issue two-year FedRAMP road map

Two and a half years after launching the Federal Risk and Authorization Management Program, which seeks to standardize agencies' approach to cloud security, the General Services Administration is set to unveil its goals for FedRAMP's next two years.

GSA officials will release a "FedRAMP Forward" road map on Dec. 17 to help agencies and vendors address the growing ubiquity of the program.

To date, there are 27 FedRAMP-compliant cloud service providers and 313 accredited third-party assessment organizations (3PAOs), according to GSA.

In a Dec. 16 press briefing, GSA officials said the roadmap will address how to grow FedRAMP "thoughtfully, deliberately and effectively" using three goals: increasing compliance and agency participation, improving efficiencies, and facilitating adaptation.

Those goals include a series of deliverables set for release over a 24-month period, beginning this month. Among the deliverables:

• Within six months, GSA will have baseline metrics from sources beyond the PortfolioStat metrics currently used, said FedRAMP Director Matt Goodrich.
• GSA will release automation requirements for vendors and agencies to produce more efficient FedRAMP documentation, and will develop and publish updated 3PAO requirements.
• GSA will issue a draft high baseline for nonclassified technology systems under the Federal Information Security Management Act.

GSA will probably issue the high-baseline requirements in January for public comment and finalize them within 12 months. The need for such requirements for high-impact systems has become more critical as the Department of Homeland Security and others have ramped up their move to the cloud.

Further down the road, GSA will issue guidelines for correlating continuous monitoring data and an initial assessment and finalization of policies for overlaying FedRAMP compliance with authorization of other federal programs such as Trusted Internet Connections, Continuous Diagnostics and Mitigation, and IPv6, said Kathy Conrad, acting associate administrator of GSA's Office of Citizen Services and Innovative Technologies.

Through its efforts to increase stakeholder engagement, the agency hopes to dispel some misperceptions about the FedRAMP compliance process. Conrad and Goodrich said many agencies and vendors assume that the Joint Authorization Board is the ultimate stamp of approval, but there are three paths to achieving authorization: JAB provisional authority to operate, agency ATO, and cloud service provider supplied.

"JAB might be considered the 'gold star,'" Conrad said, but much can depend on specifics in the cloud solution being sought and the level of risk.

GSA is working through other thorny issues, including out how to include FedRAMP approval provisions in federal IT procurements, she added.

GSA and the Office of Management and Budget are devising a policy to include ATOs in contracts. GSA has provided some contract language, but concerns have been expressed about whether vendors bidding on cloud contracts must have the authorization.

"You have to have an ATO to operate, not to bid," she said. However, if a vendor that does not have an ATO wins a contract, it must get one as soon as possible.

"We have to clarify the extent of ATO flexibility," Conrad said. "It's not in the best interest of the government if it has to wait nine months to go live once ATO is achieved."