In a little more than three years, the Federal Risk and Authorization Management Program, better known as FedRAMP, has authorized 63 cloud service providers (CSPs) and 41 third-party assessment organizations (3PAOs) and has provided cloud services to 24 agencies, including all Cabinet-level departments.
But as Denise Turner Roth, the administrator of the General Services Administration explained, "FedRAMP is the right tool; it’s the tool that’s necessary. But we know we need to do more with it.”
On Monday, the GSA officially announced "FedRAMP Accelerated," a 2.0 version of the federal government’s process for preapproving cloud-computing vendors to sell to the federal government. The changes focus on speed, optimizing the FedRAMP authorization process to reduce the time needed to approve the vendors, FedRAMP Director Matt Goodrich said.
"When FedRAMP first stood up, speed was never one of the goals," he said. "Our primary focus was security, avoiding hacks, avoiding breaches. But as we rethink the FedRAMP process, we know that the process needs to be quicker, but without sacrificing security standards."
Addressing Criticisms of a Slow Process
Although FedRAMP has successfully brought cloud solutions to government since December 2012, the vendor community criticized the approval process that, in many cases, takes more than a year, even for Fortune 500-level companies with mature cloud offerings.
The new FedRAMP Accelerated program aims to reduce approval time to about three to six months. That’s a big step, considering the fastest FedRAMP authorization to date is five and a half months.
“This program is almost four years old. It’s a perfect time for a refresh,” Goodrich said. “FedRAMP has been an incredibly successful program, but we are at a point now where we can make it more effective.”
The GSA began to rework this process about six months ago. The agency hired The Clearing, a Washington D.C.-based management consulting firm, to provide an outsider’s view of the process. Through interviews with agency customers, CSPs and 3PAOs, the firm learned that users wanted FedRAMP to provide a greater certainty of success, more transparency, better predictability in time frames and faster speed to authorization.
FedRAMP Accelerated focuses on four key areas:
- CSPs will now have readiness reviews upfront.
- FedRAMP Ready will be increased. That part of the program launched in 2014 and is a category for systems that have had their documentation reviewed by the FedRAMP program management office and have gone through the readiness review process.
- FedRAMP will conduct faster, yet still thorough security assessments.
- There will be earlier meetings with the Joint Authorization Board. The JAB reviews and provides joint provisional security authorizations of cloud solutions using a standardized baseline approach. The CIOs of GSA, the Defense Department and the Department of Homeland Security are on the board.
Federal Computer Week explained the primary change in more detail:
"The new process, called FedRAMP Accelerated, will require CSPs that want to work with the Joint Authorization Board for FedRAMP approval to have a third-party assessment organization, or 3PAO, conduct the initial capabilities assessment before diving into detailed documentation. If the 3PAO gives the cloud service passing marks, and the FedRAMP team agrees, that CSP would be declared 'FedRAMP ready' — a designation Goodrich said would then "really mean something" and give agencies confidence that the service would be approved for use in relatively short order."