FedRAMP to Unveil New Process for Accelerating Cloud Authorizations

The process federal agencies use to authorize cloud programs is too slow, a sentiment acknowledged by the director of the authorization program. But that’s about to change, and officials of the Federal Risk and Authorization Management Program (FedRAMP) will announce the details of a redesigned process at an event on March 28.

FedRAMP, a program of the General Services Administration (GSA), wants to cut the time it takes for cloud service providers to receive authority to operate (ATO) to no more than six months, according to FedRAMP Director Matt Goodrich.

As FCW reported, Goodrich noted at an event last month that when FedRAMP started to approve cloud service providers (CSPs) in 2012, approvals usually took just six months, but "now, all of a sudden, they're taking 12 to 18 months. That's not where we want to be."

Speeding Up the Cloud Authorization Process

In an interview with FedTech, Goodrich said that getting the authorization process down to no longer than six months “will take a key focus on capabilities and risk. This focus on capabilities and risk up front will allow CSPs and the government to better understand the certainty of whether or not a CSP has the minimum capabilities to get through the FedRAMP process and achieve an authorization.”

According to FCW, at an event last week hosted by the Cloud Computing Caucus Advisory Group, many cloud industry participants voiced frustration with the process and how long it takes to get an ATO. As the publication reported, Steve O’Keeffe, founder of MeriTalk, told the crowd that two years ago a CSP could receive an authorization in about nine months for $250,000, and now the process takes close to two years and $5 million.

The bogged-down authorization process limits the options that federal CIOs and IT managers have when choosing which IT services to move to the cloud. Goodrich said FedRAMP plans to streamline the process.

“FedRAMP will be having an event on March 28th at GSA to detail our redesigned process to focus on capabilities and risks earlier in the process,” he said. Registration information for the event will be sent out next week, with details to be posted on FedRAMP.gov.

Currently, FedRAMP has authorized 60 CSPs to operate, according to Goodrich, and the program will work to increase that number in concert with the Joint Authorization Board (JAB), which is the main governance and decision-making body for FedRAMP.

“The JAB reviews and provides joint provisional security authorizations of cloud solutions using a standardized baseline approach,” GSA explains on its website. The CIOs of GSA, the Defense Department and the Department of Homeland Security are on the board.

“Our goal is to continue to encourage the growth of agency authorization, which has expanded by 53 percent over the last six months, and enable the JAB provisional authorization path to scale to meet demand,” Goodrich said.

Addressing Concerns

There are several ways FedRAMP wants to update and modernize the authorization process. According to Goodrich, FedRAMP “is currently working to redesign how the JAB and agencies can focus on capabilities at the beginning of the authorization process, rather than documentation.”

FedRAMP officials think that shifting the focus to capabilities up front will “eliminate the need for the lengthy documentation process,” Goodrich said.

He also noted that a speedier authorization process and a steadily increasing number of authorized CSPs mean that federal IT managers “need to be aware that the security controls in place for FedRAMP are critical to keeping the systems they use secure.”

He added: “They also need to be aware that the authorization process is just the first step — continuous monitoring is required as agencies operationalize the systems they use.”