Finally, a faster FedRAMP?

A revamped assessment process targets the cloud security program’s biggest friction point: time.

Image from Shutterstock.

There have been many goals for the Federal Risk and Authorization Management Program since the concept was first floated in 2010: encouraging cloud adoption; "do once, use many times" efficiency; and trading check-box compliance for ongoing risk management, to name a few.

Quick turnarounds, however, were never on that list.

"We didn't have speed as one of our original goals," FedRAMP Director Matt Goodrich said at a recent event to announce changes in the program. "Sure, we don't want to work on something forever, but we were more concerned with making sure the systems we were authorizing were secured."

That lack of emphasis was apparent even as the number of authorized cloud service providers topped 65 this year. When FedRAMP officially launched in June 2012, officials estimated that approvals would take four to six months. To date, one CSP has completed the process in five months; most take nine to 18 months. Many agencies and CSPs have gone through countless rounds of documentation review, and two years is not unheard of.

The FedRAMP program management office, which is based at the General Services Administration, has worked for years to showcase CSPs that are under review or "FedRAMP Ready" but to limited effect. So on March 28, Goodrich and his team unveiled changes that promise to make the Joint Authorization Board process a far more predictable, three- to six-month affair.

"We will never trade rigor for speed," Goodrich said, but "we do want to see how fast we can make this happen."

Resource constraints have been part of the problem: JAB is staffed by the CIOs from GSA and the departments of Defense and Homeland Security, and until this year, those agencies had no dedicated funding for FedRAMP efforts. What GSA found during discussions with more than 85 stakeholder groups, however, is that the documentation-driven process is the primary culprit.

On the government side, Goodrich said, the FedRAMP team was looking at documentation "to try and understand a CSP's system" and then using that to identify any gaps and instruct the CSP on changes required to provide the needed cloud capabilities.

For the CSPs, however, "you know what the capabilities are," Goodrich said. Providers look at their systems, identify what they need to do to meet federal requirements, implement those changes "and then you document."

The new path to approval

The new approach is all about putting the FedRAMP PMO on the same path that CSPs are using. "We want to understand capabilities upfront, too," Goodrich said. The old approach's emphasis on documentation of "notional systems" often accounted for 70 percent to 80 percent of the total review process, he added. "That's a lot of time to be looking at paper and to not be looking at a system."

Central to the new process is the FedRAMP Readiness Assessment Report — an upfront gap assessment of a cloud service's security that Goodrich said most successful FedRAMP candidates already conduct over a span of a few weeks. CSPs that want to work with JAB will now need a third-party assessment organization, or 3PAO, to conduct that readiness assessment before diving into detailed documentation.

If the 3PAO gives the cloud service passing marks and the PMO agrees, that provider would be declared FedRAMP Ready.

The FedRAMP Ready designation was originally adopted in 2014 because GSA "wanted differentiators to show which vendors were serious about working with the federal government," Goodrich said. The new front-end assessment, however, will make that label "really mean something," he added, and give agencies confidence that the service would be approved for use in relatively short order.

A FedRAMP-ready CSP would be required to complete a full FedRAMP Security Assessment before moving on to JAB for approval. That, too, is a change from the current approach, which often involves multiple rounds of iterative review — each with wait times for the JAB agencies' attention.

Previously, Goodrich said, a full assessment was not required because "it was pretty risky for providers" to make that investment without any certainty they could secure FedRAMP approval. But "the front-end assessment eliminates almost all of that risk," he added, and "we believe it is now reasonable to ask for all this upfront so that we can make the process predictable and certain."

The window for public comment on the plan closed April 29, and the new process is now being tested with three CSPs: Unisys, Microsoft and GSA's own 18F, which is seeking FedRAMP approval for Cloud.gov. Those trials will continue into June, and barring major problems, the new method would then be available for other providers seeking a JAB-issued provisional authority to operate.

Agencies, of course, are able to sponsor their own FedRAMP authorizations as well. The new approach is only for JAB reviews, Goodrich said. Agencies are not required to use the new approach, but he said officials hope they will see the benefits and follow suit.

The third path to FedRAMP approval, however — the so-called CSP Supplied process, where a provider tests and documents without a government sponsor — has been abandoned. CSPs could submit completed packages until April 29 but now must either find an agency sponsor or shift to the new JAB approach.

Does faster equal fixed?

Speed has not been the only friction point for FedRAMP. Vendors have complained, for example, that other common security and privacy standards are not mapped to or recognized by the FedRAMP framework, forcing CSPs to duplicate costly certification efforts. Many agencies have been reluctant to shoulder the authorization burden themselves, adding to the JAB logjam. (That is changing, however; see box on page XX.)

Furthermore, DOD continues to explore changes to its own cloud security approach that builds on, but doesn't always map to, FedRAMP controls.

Nevertheless, Rep. Gerry Connolly (D-Va.), whose district is home to federal contractors large and small, has expressed cautious optimism about the FedRAMP changes. "I think they'd be a good improvement," he told FCW. He described the old FedRAMP process as a "bureaucratic nightmare" — but one that's not necessarily the FedRAMP team's fault.

Agencies, worried about Federal Information Security Management Act compliance, "mucked up the works" by demanding their own reviews, Connolly said. There needs to be more "reciprocity throughout the federal family" on cloud, he argued — something he said demands trust among agencies more than it does any program changes.

Rep. Will Hurd (R-Texas) had a similar take. Agencies' hesitation to embrace cloud frustrated him more than any FedRAMP inefficiencies. "If they have frictions, then we should be able to tweak and improve," Hurd told FCW. But "the idea that an agency is better prepared to defend their digital infrastructure than someone who does this for thousands of clients is still mind-boggling to me."

Connolly said that, for now, he's happy to let the FedRAMP PMO take the lead on reforms. "I think this could be solved administratively," he said, but if feds can't get the system working, he's not afraid to step in.

"This current process is unacceptable," Connolly said. "Congress won't accept it."

Mark Rockwell and Zach Noble contributed to this report.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.