First established in 2011, the Federal Risk and Authorization Management Program (FedRAMP) was designed to streamline how agencies make the move to cloud computing. With its standardized approach to security assessment, authorization, and continuous monitoring for cloud service provider (CSP) products and services, FedRAMP was intended to save 30-40% of government costs using a “do once, use many times” framework.
But it didn’t quite pan out that way.
Agencies and CSPs have for some time expressed concern about the efficiencies of the program. In particular, the process of assessing and certifying CSP products for security has become a costly and time-consuming business.
These concerns were recently reiterated in a position paper by the FedRAMP Fast Forward industry advocacy group which encompasses CSPs, federal agencies, Capitol Hill officials, and government IT think tank, MeriTalk:
“Two years ago, the prevailing wisdom held that the time and cost for industry to obtain a FedRAMP Authority to Operate (ATO) was nine months and $250,000. Today, those figures can reach as high as two years and $4 million to $5 million.”
Cloud Vendors Lack Insight into FedRAMP Approval Status
The report also cited a problem with accountability and transparency:
“Both agencies and vendors lack information they need to make educated decisions. CSPs are blind to their status in the approval process and what they need to do to move forward, and agencies lack insight into where authorized cloud solutions are operating,” states the paper.
MeriTalk’s founder, Steve O’Keeffe, blogged about the specific problems with the program in his blog: Fix FedRAMP – Tough Love?. Echoing the position paper, O’Keeffe had this to say:
“We love FedRAMP. How could you not?... But it costs too much, it takes too long. CSPs in the process don’t know their status and CSPs trying to get in, don’t know how. There’s mass confusion about the merits of the three paths to a FedRAMP ATO – JAB, agency, and self-certification. CSPs are afraid to raise issues publicly for fear of reprisals from the PMO.”
FedRAMP 2.0 – A 6-Point Plan
In response to the growing frustration with FedRAMP processes, the Fix FedRAMP group recently published its recommendations for FedRAMP 2.0. The six-point plan calls for the following:
1. Normalize Joint Authorization Board (JAB) and ATO Certification Processes: CSPs see a disparity between having a JAB certification and an ATO. The plan calls for a pathway for CSPS to graduate from an ATO to a JAB.
2. Increase Transparency: The report offers a number of recommendations for helping CSPs figure how long an ATO will take and how much it will cost.
3. Harmonize Security Standards: The reports calls for the mapping of FedRAMP to other industry standards (not just NIST) so that CSPs get credit for having already attained those standards.
4. Reduce Cost of Continuous Monitoring: CSPs are continuously monitored for compliance. The report recommends that the cost of monitoring should be reduced for CSPs who have an ATO.
5. Empower Infrastructure Upgrades: This would allow CSPs to upgrade their cloud environments while awaiting approval, without falling out of compliance.
6. Establish Defense Department Crosswalk: Help CSPs map their FedRAMP compliance to DoD security requirements so that they don’t have to start over again should they wish to provide cloud services to DoD.
FedRAMP Responds
FedRAMP agrees there’s a problem. Following a private briefing on the contents of the Fix FedRAMP paper, on January 20th, FedRAMP Director, Matthew Goodrich posted a blog – The Evolution of FedRAMP – in which he outlined quick and immediate changes focused on key improvements in the following areas:
1. Increasing the speed to authorization
2. Increasing transparency
3. Piloting a high baseline
4. Promoting FedRAMP reuse
The Future of FedRAMP 2.0
GSA is expected to roll out its plan to fix FedRAMP on March 3rd. “We’re delighted to hear GSA’s changing. We love the direction. Now we’d all like to see the operational details,” wrote MeriiTalk’s O’Keeffe.
Watch this space!