The federal program that assesses security for and authorizes cloud programs used by federal agencies plans to revamp its operations and speed up the authorization process. The Federal Risk and Authorization Management Program (FedRAMP) also aims to increase the transparency of its processes.
FedRAMP, a program of the General Services Administration, conducted external and internal surveys over the past six months to see how it could improve, FedRAMP Director Matthew Goodrich revealed in a Jan. 20 blog post. The agency spoke with “cloud service providers (CSPs), third-party assessors (3PAOs), industry consortiums, and agencies, among other users,” he explained.
Over the next few weeks and months, Goodrich promised, the program will “be making some major changes based on your feedback.”
Speeding Up Authorizations, Boosting Transparency
Commenting on one source of dissatisfaction among respondents, Goodrich said: “The fastest authorizations for FedRAMP have taken approximately six months. We agree with you — that’s simply too long.”
FedRAMP is still using a process for authorizations it designed four years ago that assumed it would take six to 12 months to construct a legacy IT system. Now, via the cloud, Goodrich noted, new systems can be built within days or “sometimes even in minutes.”
This technological advancement should bring about speedier customer service, he admits, noting that FedRAMP’s “authorization process needs to reflect that a system is already built and operational.
“To that end, we’re exploring changes to the authorization process to focus more on capabilities and evidence up front, rather than documentation throughout,” Goodrich continues.” We believe this will allow FedRAMP to scale not only for government, but for industry as well.”
Goodrich also assured that FedRAMP will be more open about its operations, disclosing what agencies are using FedRAMP, what CSPs are authorized or are in the process of being authorized, and what services are available. “And we want all of that information to be searchable, downloadable, and easy to find,” he wrote. “We’ve teamed up with 18F to make this a reality by creating a public dashboard on www.FedRAMP.gov, which will be available to you by spring.”
Higher Security Requirements
On Tuesday, FedRAMP released a draft of a newly created cloud security certification level, known as the high impact baseline. Federal Times reports: “The draft high baseline documents released Tuesday lay out a process for authorizing cloud service providers to host data that, if leaked or otherwise compromised, would have a significant impact, including personal harm, loss of life or financial ruin.”
As survey respondents pointed out, “CSPs can provide higher level of security than FedRAMP authorizes now and that agencies want to use those services,” Goodrich noted in his post.
Goodrich said the program expects to “finalize the requirements for high impact security systems by the end of winter (read the most recent public draft of these requirements). At the same time, we’re also piloting this effort with a few vendors to be authorized via the Joint Authorization Board so that we can have lessons learned and specific areas of focus for vendors who are interested in achieving this level of security. “
The goal, he wrote, is to “help our industry partners make an informed decision about the level of effort it takes to maintain a high system, and also enable our agency customers to understand what to expect from using a cloud service for their high systems.”
Additionally, Goodrich revealed that FedRAMP is undertaking an effort to fulfill respondents’ request for the program to “match CSPs with agency needs and promote FedRAMP to the right people within agencies.” Ashley Mahan, the FedRAMP agency evangelist at GSA, is leading the initiative. Goodrich wrote that Mahan “will complete an ‘Agency Roadshow’ over the next three months. She’ll be meeting with every federal agency to identify how they’re using FedRAMP and get a better understanding [of] what types of CSPs they want to use.”
“We’d like FedRAMP to become as true of a partnership between the federal government and industry as possible — and we want the FedRAMP authorization process to clearly reflect this,” Goodrich concluded. “We need the continued engagement of both government and industry. So stay involved. We promise to continue to respond and iterate to ensure we’re meeting your needs.”