What the Future Holds for FedRAMP

Big changes are ahead for the Federal Risk Authorization Management Program, better known as FedRAMP.

A new two-year roadmap released Wednesday details more than 40 initiatives aimed at accomplishing three overarching goals: increasing stakeholder engagement, including the number of agencies implementing FedRAMP; improving program efficiencies, by automating FedRAMP documentation; and adapting FedRAMP to support evolving cloud offerings and security policies while focusing on risk management rather than compliance. The roadmap groups initiatives in six-, 12-, 18- and 24-month intervals.

One of the first orders of business next year will be to release draft standards for securing the government’s high-impact systems, in terms of how disrupted systems may affect organizational operations and assets. Until now, the focus had been on low- and moderate-impact cloud computing systems.

In the past, FedRAMP Director Matt Goodrich has said some 20 percent of the government’s systems are high-impact, and most of those are in the Defense and Homeland Security departments.

“We realize there is a distinct need for agencies to be moving their higher-sensitivity data into these environments, into cloud environments, and so we are making sure we actually meet that need,” Goodrich said Tuesday while previewing the new road map.

The draft standards will be released in January for public comment, and the final document will be released within 12 months, he said. Proposed standards for high-impact systems will include a justification for why security controls were selected, with the hope of improving the dialogue with industry.

“We recognize that while we’ve had lots and lots of success, we can always improve, and so rather than just continue to do more of the same, we’ve taken a step back after two years, captured what we think are a number of our significant accomplishments, but also [identified] where ... we should focus … to achieve even further success in the years ahead,” the General Services Administration’s Kathy Conrad said Tuesday before the document’s public release. Conrad is acting associate administrator in GSA’s Office of Citizen Services and Innovative Technologies. Although FedRAMP is a governmentwide program, it is housed at GSA.

FedRAMP Procurement Guidance

Called FedRAMP Forward, the new roadmap will also help to make sure the cloud security program is implemented more consistently , and it will clear up agency misconceptions that restrict competition among cloud providers competing for federal business.

The FedRAMP office is working with the Office of Management and Budget, the Office of Federal Procurement Policy and the Office of E-Government and Information Technology to develop guidance that defines how FedRAMP should be included in contracts, Goodrich said. Although agencies must mandate FedRAMP compliance in their contracts, “there is no guidance exactly on how to do that,” he added. Agencies need evaluation criteria for ensuring that proposals meet cloud security standards.

Some agencies are requiring that companies be FedRAMP-compliant before they can bid, which “we feel is inappropriate and unduly restrictive,” Conrad said. Many IT procurements require companies to have an authority to operate (ATO) before their solution is launched, not before their bid is accepted.

Within the next year, a FedRAMP training module will be developed for agency procurement officials and the independent third-party assessment organizations (3PAOs) that assess companies’ security documentation. The FedRAMP management office also plans to create overlays for companies to demonstrate compliance with other IT polices, such as the Trusted Internet Connections (TIC) Initiative, as they undergo FedRAMP assessments. These capabilities and documents will be available on the new FedRAMP.gov website, which will be launched within six months

Increasing Cloud Collaboration Across Agencies

One of the 12-month goals is to launch multiagency working groups to reduce duplication and enhance communication. The vision is for FedRAMP liaisons at each agency to collaborate more often and share data on FedRAMP compliance numbers at their agencies. This will help OMB better understand “where we really are with cloud use and FedRAMP across government,” Goodrich explained. The working groups are also meant to reduce duplication for departments that sponsor cloud vendors through FedRAMP’s agency-approved path.

For example, if six agencies are using the same six cloud service providers, they can each lead one authorization, and the other agencies can benefit from their work. “The first thing we always hear from agencies is, 'Why should I do it first? Because then everyone else is getting it for free.' ”

“We want to make sure we are sharing the benefits of FedRAMP across the government,” Goodrich said, adding, “the entirety of government is going to save in the end.”

Reducing the Wait for FedRAMP Compliance

Today, Goodrich said, completing the FedRAMP process can take as little as four months — or more than a year, he noted. The goal is to reduce the time to no more than six months on average, but that will vary based on the complexity of a cloud solution and the readiness of a cloud provider to prove FedRAMP compliance. Working with a company through the process takes agencies about six to nine months, but Goodrich hopes to see that reduced to three or four months while maintaining the program's rigorous standards.

Goodrich stressed that FedRAMP is more than the joint authorization board, made of CIOs from GSA and the Defense and Homeland Security departments. He wants the program office to be seen as an entity that supports agencies, 3PAOs, cloud services providers and all three paths for obtaining FedRAMP authorization.

“We’re really making sure everyone understands that FedRAMP is the collective of government,” Goodrich said.

To learn more about how cloud computing solutions can help your organization get ahead, visit cdw.com/cloud.