Government needs a massive investment in FedRAMP

By Gaurav "GP" Pal and Michael Garland

By Gaurav "GP" Pal and Michael Garland

|

A well-funded shared service could relieve an authorization bottleneck and bring essential cloud services to the government market.

5 lessons learned from the FedRAMP process
 

As the Federal Risk and Authorization Management Program marks its 10th anniversary, it’s time to applaud FedRAMP’s accomplishments — but also explore ways to scale its operations so the government can more quickly adopt innovative software solutions.

FedRAMP is the much-needed standardized security process for companies that deploy software via the cloud to prove they adhere to Federal Information Security Management Act standards for protecting government networks and data. When a cloud product has been FedRAMP-authorized, it has received the stamp of approval that gives government agencies confidence that the product is likely safe to operate on their networks.

To date, there is no known cybersecurity breach attributed to a FedRAMP-authorized cloud product. In fact, although we don’t know all the details, if SolarWinds’ maintenance and patch server had been FedRAMP-authorized, the most recent cybersecurity crisis might have been detected earlier or avoided entirely.

FedRAMP is a great concept, but there are a few problems that cloud providers attempting to achieve an authorization will quickly point out. Most have to do with FedRAMP’s inability to scale to meet demand.

This is not the fault of the FedRAMP Program Management Office; it has a negligible budget. But a decade after the program’s debut, there are only about 200 FedRAMP-authorized products. The pace of authorizations has picked up in recent years, with about 50 products added annually, but this is just a drop in the ocean compared to the 15,000 commercial cloud products tracked by Gartner and the $300 billion-a-year cloud industry. Furthermore, it takes an average cloud company anywhere from a year to 18 months to complete an authorization.

Meanwhile, virtually all modern software deploys via the cloud distribution model. It’s a simple, sad fact: There’s an enormous universe of cloud products currently ineligible to participate in the government market for lack of FedRAMP authorization.

A tall order for under-resourced agencies

Part of the FedRAMP bottleneck has to do with limited resources and the complex journey that cloud providers must take. There are only two paths to authorization, and both have limitations. The first path is for the FedRAMP Joint Authorization Board to sponsor an authorization, but that team has very limited capacity and can only push through about 12 a year. The other path is for an agency to sponsor a cloud product. But when an agency chooses to do so, it does most of the heavy FedRAMP lifting itself.

Most agencies don’t have resources for shepherding a FedRAMP application and therefore will do so only in the rare circumstances when particular cloud services are essential to their missions. Remember, the current process can take a year or more, and FedRAMP is not a one-and-done proposition. Once a product receives an authorization, the agency sponsor must continue to monitor the product for lifetime compliance, which includes a continual flow of documentation and management. In other words, once an agency adopts a product to authorize, the relationship never ends. The sponsoring agency is a parent for life.

This is an obvious bridge too far for many agencies that are under-resourced even for their core missions; they simply have no budget for the lifetime cybersecurity management of a commercial software product. Yet, as we have seen from the ever-increasing threat of cyber intrusion from Russia, China and other malicious players, cybersecurity is appropriately the highest-order priority for the government.

At the same time, because of this security imperative and the government’s limited ability to process FedRAMP authorizations, many innovative and deserving commercial cloud products are locked out of the government market. Ironically, some of them might be useful to further enhance security.

The benefits of a FedRAMP shared service

So what can be done? One possibility would be to redirect some of the $1 billion Technology Modernization Fund to scale up and resource a governmentwide shared-services operation for the purpose of relieving agencies of FedRAMP authorizations. This shared service could be housed at the General Services Administration along with the FedRAMP Program Management Office, at the Department of Homeland Security or at another agency that is well-equipped to deploy a shared-services model.

A well-positioned and well-resourced FedRAMP shared service would deliver consistency and help commercial cloud providers get through the process in a more streamlined manner. Additionally and importantly, a shared service would create an ongoing central point for monitoring the continued security status of FedRAMP-authorized providers.

Furthermore, the shared service could do operational research to continually improve the process, seek automated tools to reduce time frames and own the entire life cycle of cloud product authorizations. Agencies that wish to do their own FedRAMP sponsorship could continue, but a properly resourced and expanded FedRAMP shared service — dedicated to ensuring proper security with the goal of rapidly increasing the volume of authorizations — would be extremely valuable.

FedRAMP is a well-thought-out approach to cybersecurity, but given the IT modernization and security imperatives, it is time to scale up the program to meet the growth and demand of cloud products. By analogy, it was the correct bridge to build 10 years ago, but that infrastructure investment needs to be at least quintupled to meet the realities of the current software market.

Scaling and creating operational efficiencies for FedRAMP that lower the barriers to entry and facilitate more rapid adoption of safe and secure innovative technologies are goals that are well worth exploring. Expansion of FedRAMP into a full-scale shared service is a logical place to make a high-impact, high-return infrastructure investment. If the government is serious about modernization, it should focus on addressing the FedRAMP bottleneck.

NEXT STORY: Lawmakers look to revive collusion case against Amazon in JEDI

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.