The Federal Risk and Authorization Management Program deserves praise, not criticism, and here are four reasons why.
In recent months, members of industry and the media have loudly criticized the Federal Risk and Authorization Management Program. For example, security professionals say FedRAMP's security controls are not strong enough, and compliance alone does not ensure information security. Other critics say FedRAMP makes it harder for government agencies to move to the cloud.
However, those criticisms are false and not deserved.
Perhaps industry has lost sight of all that we in the federal IT sector have accomplished since FedRAMP was established. Without it, there would be no standard controls or processes in place for government agencies to evaluate or share. FedRAMP saves significant time, money and resources, and it provides enhanced security visibility through standardized continuous monitoring reports and risk-based security management.
We all owe a debt of gratitude for FedRAMP's dedication in support of enabling federal -- and state and local -- government agencies to access and adopt cloud services. Understanding the program’s impact is imperative.
Here are four reasons why FedRAMP's accomplishments should not go unnoticed:
- FedRAMP offers multiple routes to authorization. Cloud service providers have three paths to authorization. The most commonly used is to gain provisional authority to operate (ATO) from FedRAMP's Joint Authorization Board. Alternatively, a company can be granted an ATO by an agency.Lastly, although no companies have used this method to date, a CSP can work independently with a FedRAMP-accredited third-party assessment organization (3PAO) to complete all required documentation, testing and security assessments.Costs tend to vary widely depending on the path, but all the approaches result in the same end goal: FedRAMP authorization and an opportunity to sell cloud products and services in the federal market.
- FedRAMP encourages built-in security. There is a significant investment required for companies to meet the government’s security standards, as there should be. It takes time and money, but the size of that investment depends on how prepared a company is before embarking on the FedRAMP process. Services built with government security at their foundation can make it through FedRAMP approval much faster and at much lower costs than commercial services that must be retrofitted.
- FedRAMP makes it easy for agencies to share ATOs. CSPs go through the FedRAMP process only once. Government agencies have different information standards and requirements, and therefore, each will want to review a CSP's ability to meet those needs. Fortunately, the FedRAMP portal offers a quick and easy way for government officials to review a CSP's FedRAMP package, 3PAO assessment results, ATO letters from other agencies and more.
- FedRAMP has broad appeal. FedRAMP is expanding beyond only serving the federal government, with state and local agencies showing interest in the program. California officials are currently awaiting approval to use FedRAMP to minimize the risk to state data and constituent information and as a way to provide those constituents with a secure platform.
Many other state and local governments are beginning to follow in California’s footsteps, showing early indications of FedRAMP's long-term accomplishments.
Although FedRAMP has developed fast, it has remained comprehensive. It has also served the intended goal of qualifying government-ready service providers and sharing ATOs across agencies. Its accomplishments are real and should not be tarnished by those who are not ready or who want to make noise for financial gain.