The cloud is critical for federal agencies, but is it secure?
For enterprises, leveraging less-than-secure solutions is potentially problematic; for government agencies, deploying insecure cloud services could be devastating.
From first-party organizations that deliver direct federal services to third-party providers tasked with securely handling, storing or analyzing government data, ensuring that cloud services are held to higher standards is the goal of the Federal Risk Authorization Management Program (FedRAMP), which launched in 2011 and has now approved 199 cloud vendors.
But challenges remain, as 46 cloud service providers are currently still going through the FedRAMP approval process, which, as noted by the Information Technology & Innovation Foundation, can take anywhere from six months to two years and cost companies upward of $500,000.
New initiatives, such as the FedRAMP Agency Liaison Program and FedRAMP’s “do once, use many times” mandate, are focused on clearing this backlog and ramping up approval speed in general. However, questions remain over whether these initiatives are enough to meet the demands of cloud-first enterprise environments without compromising security.
What Is FedRAMP and Why Is It Important?
FedRAMP is part of Technology Transformation Services within the General Services Administration’s Federal Acquisition Service.
As a GSA spokesperson notes, the program was established in 2011 by the Office of Management and Budget to “provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government.”
FedRAMP is designed to enable agencies to “use modern cloud technologies, with an emphasis on security and protection of federal information,” the spokesperson notes.
Greg Touhill, an ISACA board director and the former federal CISO, offers a more succinct description, noting that FedRAMP “is intended to provide a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.”
FedRAMP Director Ashley Mahan tells FedTech that FedRAMP “serves an important security role. It bridges government to the private sector, enabling agencies to take advantage of modern, transformative and secure cloud products and services.”
In effect, the program acts as an intermediary between operational needs and security requirements. Despite its mission and mandate, however, FedRAMP has received its fair share of criticism — both deserved and undeserved — as a program that creates more barriers than benefits thanks to the time and cost it sometimes takes for cloud service providers to receive approval.
Unlike some federal agencies that are reluctant to embrace change at scale, FedRAMP is continuously looking for ways to improve. The framework therefore remains relevant not just for its commitment to secure cloud services but as an initiative that aligns with evolving digital transformation efforts — adaptable, agile and willing to adjust where possible.
As a result, “FedRAMP enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale,” according to the GSA spokesperson.
Touhill offers a more practical take, noting that “the U.S. government is one of the largest consumers of cloud products and services. Having each of the hundreds of department and agency organizations create their own standards for cloud products and services is ridiculous; it’s not fair to vendors to have a moving target depending on who you talk with.”
The FedRAMP process, Touhill says, “sets a better playing field for vendors and government entities alike. While it is far from perfect, it has gotten a lot better as the GSA team has applied lessons to improve such things as the testing and approval processes, information on its website and the timing of the process.”
What Are FedRAMP Requirements?
FedRAMP compliance isn’t required for all cloud deployments. As noted by Touhill, “most widely used, commercial, off-the-shelf products that operate on various on-premises systems as well as on cloud-based servers do not require FedRAMP approval. Other government-sponsored certification programs, such as Common Criteria or Continuous Diagnostics and Mitigation (CDM) certifications generally apply to these products.”
The official FedRAMP FAQ, however, says that approval is necessary for federal agency “cloud deployments and service models at the low, moderate, and high risk impact levels. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception.”
Approvals take the form of Authority to Operate (ATO) or Provisional Authority to Operate (P-ATO) after the cloud service provider authorization package has been approved. This process can take anywhere between six months and two years, and only begins once the cloud service has been prioritized through FedRAMP Connect.
To help streamline the approval process, FedRAMP has deployed a “do once, use many times” framework. According to the GSA spokesperson, “FedRAMP eliminates duplicative efforts by providing a common security framework. Agencies review their security requirements against a standardized baseline. A Cloud Service Provider (CSP) goes through the authorization process once, and after achieving an authorization for their Cloud Service Offering (CSO), the security package can be reused by any federal agency.”
In June, FedRAMP launched its Agency Liaison Program which leverages a “train the trainer” model that empowers FedRAMP-vetted liaisons to share knowledge and resources about the approval process with other members of their agencies and the federal community at large. This, in turn, helps other cloud service providers better prepare for the approval process and companies better identify FedRAMP-ready cloud vendors.
FedRAMP Compliance Checklist
How do cloud service providers start the approval process, create checklists to make sure they are as prepared as possible to meet FedRAMP requirements and balance that with the need for a speedy approval?
As noted by the GSA, “Preparation is key in successfully going through the authorization process. The FedRAMP Program Management Office (PMO) developed several helpful resources, available on the FedRAMP website, for companies that are seeking to go through the authorization process.”
Specifically, the GSA spokesperson suggests these requirement resources:
- The Cloud Service Provider (CSP) Authorization Playbook” – This guide offers details on initial FedRAMP readiness assessments, the FedRAMP Ready determination, full security assessments and the Joint Authorization Board (JAB) authorization process.
- 7 Lessons Learned for Small Businesses and Startups” – According to the GSA, “this list captures multiple best practices and helpful information from these organizations in going through the process.”
Touhill, meanwhile, points to the updated Customer Implementation Summary (CIS) and Customer Responsibility Matrix (CRM) templates, which offer clearer direction and more streamlined compliance structures to help companies define must-do checklists before starting the approval process.
And, according to the GSA spokesperson, if companies can’t find what they’re looking for, help isn’t far away: At any time, companies can reach out to the FedRAMP PMO for assistance by e-mailing firstname.lastname@example.org.
Finding FedRAMP-Ready Vendors
The FedRAMP Marketplace can point agencies in the right direction for FedRAMP-authorized cloud service providers, but it’s worth noting that three CSP classifications exist: FedRAMP Ready, FedRAMP In Process and FedRAMP Authorized.
Although FedRAMP Ready vendors have been evaluated by a Third-Party Assessment Organization (3PAO) and completed a Readiness Assessment Report (RAR), they are not officially approved by the program.
In some cases, a single vendor can also have multiple services in differing approval stages. For example, while Cisco Webex Software as a Service has 17 FedRAMP authorizations, Cisco SD-WAN remains “FedRAMP In Process.” As a result, it’s critical for companies to evaluate potential vendors on a case-by-case basis.
As a program, FedRAMP is still evolving. FedRAMP has shown a willingness to adapt to industry demands, which is helping the program reduce the time required for vendor approval. FedRAMP’s evolution is also increasing the ability of agencies to reuse approved services and is improving CSPs’ chances of authorization with “train the trainer” frameworks.