What You Can Expect from FedRAMP 2.0

The June 5 deadline has come and gone for agencies to verify that their cloud solutions meet federal security standards. And now that you’ve survived the big day, you’re probably wondering, “What’s next?”

For agencies, the work is far from over. To date, a dozen cloud services have received provisional authority to operate from FedRAMP’s joint authorization board (JAB). In other words, CIOs at the General Services Administration and Defense and Homeland Security departments, who sit on the board, have agreed that those services meet federal security standards.

There are 160 known instances of those 12 cloud services in operation today across the federal government, FedRAMP Director Maria Roat said at a June 4 industry day event, at which her team provided program updates. The accredited services are available on at least 250 government contracts.

“What that means is I should have ATOs [authority to operate] from all those agencies in the secure repository, so I know they used those ATOs,” Roat said. “Well, I don’t have that. Agencies are expected to update the ATO memos.” That repository houses security documentation about approved cloud services.

For the past year, agencies have been reporting to the Office of Management and Budget about their cloud computing investments. Roat expects OMB will coordinate with the FedRAMP program management office as it verifies whether agencies’ cloud solutions comply with federal requirements.

At the FedRAMP industry day, members of the program office provided details about changes underway and what’s in store for agencies and cloud vendors. Here is a summary of their answers to lingering questions about FedRAMP:

How will NIST Special Publication 800-53 Revision 4 affect FedRAMP?

FedRAMP’s security controls are based on NIST standards — specifically, the standards in SP 800-53 Revision 3 that pertain to cloud computing. The transition to revision 4 means that there will be 125 security requirements for low-impact systems and 325 for moderate-impact systems.

Will more security requirements mean more work for cloud vendors?

Although the number of controls for moderate systems has increased from 298, the increase doesn’t necessarily mean companies will have to increase their capabilities. Some 245 of those controls will remain in place. The revised security controls will better clarify what is expected from industry. For example, vendors have had to verify that they encrypt data at rest. Now, they will have to explain how they do it.

How will these changes affect FedRAMP continuous monitoring requirements?

Continuous monitoring begins after a cloud service is authorized under FedRAMP. The term “continuous monitoring” can be hard to understand in the context of FedRAMP because the government isn’t watching everything that goes on in the cloud. Vendors will have to perform vulnerability scans monthly and remediate within 30 days any findings that are deemed high vulnerabilities. Some security reporting used to be done quarterly. FedRAMP officials say the change will better align the program with the Department of Homeland Security’s continuous monitoring program. For now, vulnerability scans under the DHS program are much more frequent than under FedRAMP.

How much have agencies saved by using FedRAMP?

About $40 million. That number is likely higher, but the FedRAMP office can at least account for that figure.

What relationship does the FedRAMP team have with the Defense Information Systems Agency?

Last fall, DISA joined the FedRAMP review team at the request of then-CIO Teri Takai. Because DISA is the Defense Department’s cloud broker, it made sense for the agency to be part of the review process. DISA requires roughly 40 “things” on top of the baseline FedRAMP standards, such as additional reporting parameters and security requirements.

How long does it take to get a cloud service approved through FedRAMP?

It takes about nine months for companies to get approval from the JAB, and that doesn’t include the preparation that happens before a review kicks off. Getting an agency ATO takes about four months or longer, depending on the agency. One less frequently used route requires cloud service providers to submit a security assessment package for a FedRAMP review. That process takes about four weeks to complete because the security packages have not received an ATO from the joint board or from an agency.
Check out FedRAMP.gov for updated templates, security requirements and program documents.