FedRAMP trimming approval time, officials say

The time needed for cloud services to receive authorization under the Federal Risk Authorization and Management Program has been significantly shortened thanks to the FedRAMP Accelerated process.

At the Amazon Web Services Summit on June 14, FedRAMP Program Manager for Cybersecurity Claudio Belloli said the approval process, which originally required up to 24 months, has now been reduced to about four while maintaining the same rigor.

The four-month authorization process is shorter than even the estimated six months reported in May by the cybersecurity management and compliance firm Coalfire, though it does not quite reach the three-month goal that was floated when FedRAMP Accelerated was unveiled last year.

For cloud service providers to gain authorities to operate, there are two avenues: they can either deal directly with agencies or apply to the Joint Authorization Board, a team comprised of the CIOs from General Services Administration and the Departments of Defense and Homeland Security.

Because the JAB can only handle about 12-14 cases a year prioritized "based on demand," FedRAMP evangelist Ashley Mahan said that "it makes so much more sense" for most cloud service providers to work directly with a sponsoring agency, then undergo an expedited two-week final review from the FedRAMP program management office.

According to the May report, the cost of securing a FedRAMP authorization recently has averaged between $350,000 to $865,000. However, Mahan said the program office is currently "working on new material about what those updated costs are." She noted that the price tag will ultimately depend on "a number of factors," including the provider's knowledge of FedRAMP requirements and documentation procedures.

Although FedRAMP certification has been required required for virtually all cloud services used in the federal government since June 2014, Mahan acknowledged that some agencies still ask to work outside the FedRAMP framework. The CoalFire report estimated that 60 percent of agencies do not yet participate in the program.

"It absolutely is very frustrating for me," Mahan said.