The General Service Administration’s Federal Risk and Authorization Management Program, better known as FedRAMP, has big plans for 2017.
FedRAMP is tasked with providing a standardized, governmentwide approach to assess the security, authorize and continuously monitor the cloud service providers (CSP) that can work with agencies.
The agency, which underwent a series of changes last year designed to improve its operations in one of the key federal IT trends of 2016, plans to give agencies more choices of CSPs, continue to update its modernization process and enhance ties between agencies and cloud firms.
Building on FedRAMP’s Changes from 2016
Federal IT officials and CSPs have expressed frustration with the FedRAMP approval process, which prompted the organization to make the changes it did last year. According to a May 2016 MeriTalk survey of 150 federal IT decision-makers, 79 percent said they were frustrated with FedRAMP, characterizing the process as “a compliance exercise.” Further, even though the process is mandatory for federal agency cloud deployments and service models at the low- and moderate-risk impact levels, 17 percent reported FedRAMP compliance does not factor into their cloud decisions, while 59 percent said they would consider a non-FedRAMP–compliant cloud service.
In March 2016, FedRAMP introduced “FedRAMP Accelerated” to speed up the approval process. The program requires CSPs that want to work with the Joint Authorization Board and get FedRAMP approval to team up with a third-party assessment organization, or 3PAO. That organization would conduct an initial capabilities assessment before the CSP provided detailed documentation to FedRAMP. If the 3PAO approved the CSP and gave it a provisional authorization to operate, and the FedRAMP team agreed, that CSP would be declared “FedRAMP ready.”
Then, in late June, the GSA unveiled the “High Baseline Requirements” for FedRAMP, designed to increase cloud adoption for highly sensitive applications and systems. On Aug. 6, GSA unveiled the FedRAMP Readiness Assessment Report Template, which basically serves as a pre-audit for CSPs, letting them demonstrate their readiness to achieve a FedRAMP authorization. In September, all of the efforts started to pay off: FedRAMP approved the first CSP under the new program, Microsoft Dynamics Customer Relationship Manager Online, in just 15 weeks, compared to two years for its last authorization.
New FedRAMP Plans for 2017
FedRAMP Director Matt Goodrich has spelled out the agency’s goals for the new year. First, the program wants to significantly expand the number of cloud services that agencies can choose from, up to 150 from 72 in late 2016. FedRAMP also wants to double the number of authorizations to operate from 345 to 750 by the end of the year. FedRAMP intends to have 50 CSPs certified as “FedRAMP Ready” in 2017.
However, after Coalfire, the No. 2 FedRAMP 3PAO, acquired another 3PAO Veris Group in December, sources within the cloud industry raised concerns that the deal could raise the cost of audits for small to medium-sized CSPs and make it more difficult for them to get FedRAMP approval, according to a MeriTalk report.
Building on FedRAMP Accelerated, the agency is aiming to grant all provisional authorizations to operate in under six months. To speed up the process further, the program is going to introduce “FedRAMP Tailored,” which will focus on low-impact Software as a Service cloud offerings. FedRAMP says it will “augment our current ‘one size fits all’ baselines to introduce tailored baselines for niche, specific use cases.”
Additionally, FedRAMP plans to revamp its continuous monitoring process to make it more efficient and dynamic. The agency says it will “ensure that the authorized cloud services continue to meet the necessary security requirements for safeguarding federal information.” FedRAMP acknowledged that the “ConMon” process — which requires CSPs to monitor their cloud system’s security controls, assess them on a regular basis, and demonstrate continuously acceptable security posture of their service offering — can be time consuming. The agency says it is committed to making the process smoother and more agile.
Finally, FedRAMP wants to foster more dialogue between the cloud industry and government, and it plans to conduct two industry days and two roundtables to have both sides share best practices. FedRAMP also plans to provide more information, and will publish detailed guidance on how to document all of the 421 National Institute of Standards and Technology controls within any of the FedRAMP baselines.
“Building on the accomplishments from FY16 that we shared last week, we hope to continue the trend of exponential growth, innovative process improvements, and collaboration among the community,” Goodrich says. “We have established pretty aggressive targets for FY17 and appreciate your support as we advance the program.”