The General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP) is taking steps to smooth the authorization process for cloud service providers (CSPs) seeking to work with the government.
Additionally, FedRAMP has also recently taken steps to provide federal agencies with more easily accessible information about the status of CSPs.
The efforts are all part of FedRAMP’s desire to accelerate the approval process and be more transparent with federal agencies that use cloud services.
Letting CSPs Submit a Pre-Audit
On Aug. 6, GSA unveiled the FedRAMP Readiness Assessment Report (RAR) Template, which FedRAMP said in a blog post will basically serve as a pre-audit for CSPs, letting them demonstrate their readiness to achieve a FedRAMP authorization.
By conducting the pre-audit, CSPs will give the FedRAMP Program Management Office more information to determine if the CSP is ready to pursue a FedRAMP authorization. The template is part of the FedRAMP Accelerated process, which GSA kicked off in March to speed up the authorization process. Faster approvals will provide agencies with more cloud service options as they migrate applications and data to the cloud.
Federal IT officials have expressed frustration with the FedRAMP approval process, which prompted the organization to make the changes. According to a May 2016 MeriTalk survey of 150 federal IT decision-makers, four out of five officials (79 percent) said they are frustrated with FedRAMP, characterizing the process as “a compliance exercise.” Further, even though the process is mandatory for federal agency cloud deployments and service models at the low- and moderate-risk impact levels, 17 percent reported FedRAMP compliance does not factor into their cloud decisions, while 59 percent said they would consider a non-FedRAMP-compliant cloud service.
According to the blog post, CSPs whose RAR is approved will then be deemed “FedRAMP Ready” in the FedRAMP Marketplace, and that designation indicates that a CSP is likely to attain a Provisional Authorization to Operate (P-ATO) via the Joint Authorization Board (JAB), or an Authorization to Operate (ATO) by an agency.
The pre-audit focuses on key capabilities rather than documentation, enabling FedRAMP Accredited third party assessment organizations, or 3PAOs, “to assess a CSP’s system in a shorter amount of time and giving the government a clearer understanding of a provider’s technical capabilities up front in the assessment process,” according to FedRAMP.
FedRAMP Improves Its Dashboard
FedRAMP is also taking steps to increase its transparency. On Aug. 16 the organization unveiled a new blog, called Focus on FedRAMP, which is aimed at giving agencies more information on current and future FedRAMP projects.
“We know that transparency and collaboration is the only way to truly meet all of your needs, and Focus on FedRAMP is designed with that in mind,” FedRAMP Director Matt Goodrich wrote.
FedRAMP is taking other significant steps to give agencies more information on CSPs and its process. On Aug. 17 FedRAMP rolled out an updated Marketplace dashboard to let agencies garner more information on the status of different CSPs — whether they are FedRAMP ready, being evaluated or authorized.
“As FedRAMP has grown, so has our marketplace,” Goodrich wrote in a recent blog post. “It’s become a space where all of you interact – CSPs, agencies, and 3PAOs – and in more than just a one-way interaction. The more deeply and varied you have begun to interact, the more information and functionality you’ve expressed you’d like to see.
“We’ve responded by continuing to grow and segment the marketplace by introducing categories such as FedRAMP Ready and In-Process for our CSPs, identifying which agencies have authorized CSPs for use, and even which 3PAO assessed authorized CSPs. As we continued to introduce these new categories within the marketplace, our website didn’t always provide a graceful way for people to interact.”
FedRAMP worked with GSA’s 18F digital services unit to update the Marketplace. Now, federal users can more easily search for information on CSPs; sort information by vendor name, agency or the number of ATOs; compare how many ATOs one CSP or agency has in relation to others; get more information about CSPs and 3PAOs and the services they offer; find out whether a CSP is predicted to get authorization at another agency; and download the marketplace data in an easy format for use in a report or offline.