While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
In a little more than three years, the Federal Risk and Authorization Management Program, better known as FedRAMP, has authorized 63 cloud service providers (CSPs) and 41 third-party assessment organizations (3PAOs) and has provided cloud services to 24 agencies, including all Cabinet-level departments.
But as Denise Turner Roth, the administrator of the General Services Administration explained, "FedRAMP is the right tool; it’s the tool that’s necessary. But we know we need to do more with it.”
On Monday, the GSA officially announced "FedRAMP Accelerated," a 2.0 version of the federal government’s process for preapproving cloud-computing vendors to sell to the federal government. The changes focus on speed, optimizing the FedRAMP authorization process to reduce the time needed to approve the vendors, FedRAMP Director Matt Goodrich said.
"When FedRAMP first stood up, speed was never one of the goals," he said. "Our primary focus was security, avoiding hacks, avoiding breaches. But as we rethink the FedRAMP process, we know that the process needs to be quicker, but without sacrificing security standards."
Although FedRAMP has successfully brought cloud solutions to government since December 2012, the vendor community criticized the approval process that, in many cases, takes more than a year, even for Fortune 500-level companies with mature cloud offerings.
The new FedRAMP Accelerated program aims to reduce approval time to about three to six months. That’s a big step, considering the fastest FedRAMP authorization to date is five and a half months.
“This program is almost four years old. It’s a perfect time for a refresh,” Goodrich said. “FedRAMP has been an incredibly successful program, but we are at a point now where we can make it more effective.”
The GSA began to rework this process about six months ago. The agency hired The Clearing, a Washington D.C.-based management consulting firm, to provide an outsider’s view of the process. Through interviews with agency customers, CSPs and 3PAOs, the firm learned that users wanted FedRAMP to provide a greater certainty of success, more transparency, better predictability in time frames and faster speed to authorization.
FedRAMP Accelerated focuses on four key areas:
Federal Computer Week explained the primary change in more detail:
"The new process, called FedRAMP Accelerated, will require CSPs that want to work with the Joint Authorization Board for FedRAMP approval to have a third-party assessment organization, or 3PAO, conduct the initial capabilities assessment before diving into detailed documentation. If the 3PAO gives the cloud service passing marks, and the FedRAMP team agrees, that CSP would be declared 'FedRAMP ready' — a designation Goodrich said would then "really mean something" and give agencies confidence that the service would be approved for use in relatively short order."