While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
FedRAMP Accelerated is finally paying off.
The General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP) last month approved the first cloud service provider to work with federal agencies as part of the FedRAMP Accelerated program, which is designed to speed up the authorization process.
The Joint Authorization Board (JAB) gave a Provisional Authority to Operate to Microsoft Dynamics Customer Relationship Manager Online on Sept. 22, according to a blog post from FedRAMP Director Matt Goodrich.
“Microsoft completed the authorization process in just 15 weeks, or just under four months,” Goodrich said. “Compared to the last authorization, which took two years to complete, Microsoft Dynamics CRM Online was authorized six times faster!”
By speeding up the approval process for cloud service providers (CSPs), FedRAMP will make it more likely that CSPs will apply for authorizations, and will ultimately give agencies more choices as they deploy cloud services.
Goodrich noted to FedScoop that it took from nine months to two years for CSPs to get approved before FedRAMP introduced the Accelerated process in March. FCW reports that “before FedRAMP Accelerated was launched, the fastest approval took five months, according to GSA.”
Federal IT officials and CSPs have expressed frustration with the FedRAMP approval process, which prompted the organization to make the changes. According to a May 2016 MeriTalk survey of 150 federal IT decision-makers, four out of five officials (79 percent) said they were frustrated with FedRAMP, characterizing the process as “a compliance exercise.” Further, even though the process is mandatory for federal agency cloud deployments and service models at the low- and moderate-risk impact levels, 17 percent reported FedRAMP compliance does not factor into their cloud decisions, while 59 percent said they would consider a non-FedRAMP-compliant cloud service.
Goodrich said there were many reasons the Microsoft authorization was faster, but two elements were critical to the accelerated process: CSP readiness, which was demonstrated through capability assessments, and an iterative review approach.
FedRAMP unveiled the FedRAMP Readiness Assessment in March and finalized the requirements last month. The readiness assessments replaced the old reviews by the project management office on documentation and instead focused on CSPs’ key capabilities and validation by an accredited third-party assessment organization.
“These readiness assessments ensure that CSPs entering the FedRAMP authorization process have the key technical capabilities in place prior to beginning an authorization,” Goodrich said. “This ensures that during the authorization process, vendors won’t have to introduce new technologies or engineering updates to their system. This reduces overall costs for vendors as well as ensures the authorization process isn’t delayed due to vendors implementing new solutions to meet the FedRAMP requirements.”
Such changes helped cut that part of the authorization process for Microsoft Dynamics CRM Online down to 10 weeks, compared to FedRAMP’s most previous authorization, which took 40 weeks.
The Joint Authorization Board (JAB) is the primary governance and decision-making body for FedRAMP. It reviews and provides joint provisional security authorizations of cloud solutions using a standardized baseline approach. The JAB includes the CIOs of the Defense Department, the Department of Homeland Security and the GSA.
FCW notes that “the JAB review has been especially lengthy, and the FedRAMP Accelerated process is focused there.”
Goodrich said that the FedRAMP project management office also worked with the JAB “to employ a more iterative, or agile, review approach to the authorizations.” The JAB review process, Goodrich noted, was previously “focused on a waterfall-like approach designed with key stage gates — focusing on documentation, then testing, then reviews of risks.”
Now, with capabilities and risk assessments up front, the JAB can complete faster, more iterative reviews, and key questions can be raised faster and earlier in the process.
“We expect their authorizations by the end of the year and to follow similar timelines for authorizations,” Goodrich said. “We look forward to continuing our partnership with them and supporting their progress through this new process.”