The General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP) announced significant structural changes Monday to the way the government will certify the security of cloud service providers.
Known as FedRAMP Accelerated, the new process will sunset the CSP-supplied documentation path to obtaining FedRAMP Ready status. The last day for the old process is April 29. Under the new plan, CSPs will be required to undergo a capabilities readiness assessment by a third-party assessment organization (3PAO) prior to being placed on the FedRAMP Ready list. In addition, any CSP seeking certification through the Joint Authorization Board, known as the JAB, must already have obtained FedRAMP Ready status and have completed security assessment testing before kicking off the JAB certification process.
“We want to make FedRAMP Ready powerful,” said FedRAMP Director Matt Goodrich, speaking at a FedRAMP Accelerated launch event at GSA headquarters. “We want to make sure that if we say someone is ready, that there’s actual power behind that. This is something that industry is already doing–they call it a gap assessment. It’s not rocket science, so why aren’t we doing the same thing in government?”
Claudio Belloli, the FedRAMP program manager for cybersecurity, said the revised process leverages everyone’s strengths and that the JAB review teams at the Department of Defense, Department of Homeland Security, and the GSA will leverage new funding to ramp up collaboration. “Assessment…is an early indicator of the capabilities that are in place–not a notional system–a good indicator of risk posture and if they’re ready to go into the FedRAMP process,” he said.
FedRAMP Ready is “meant to give a high level of confidence which was lacking in our current process,” he added.
According to Goodrich, the new process will be easier, faster, and cheaper than the old CSP-supplied documentation process, and will make it easier for CSPs to sell to agencies. “The old process spent 70 to 80 percent of the time on reviewing documentation–that’s a lot of time to be looking at paper,” Goodrich said. The goal under FedRAMP Accelerated is to achieve FedRAMP Ready status within 30 days, and a Provisional Authority to Operate (P-ATO) within three to six months, he said.
The new FedRAMP Accelerated is currently being tested with the help of Microsoft, Unisys, and 18F’s Cloud.gov.
FedRAMP Accelerated comes just two months after a cloud industry advocacy group published a Fix FedRAMP position paper—a scathing assessment of the program’s shortcomings—and took their concerns to Capitol Hill, prompting lawmakers to promise closer oversight. GSA had refused to publicly comment on the paper by the FedRAMP Fast Forward Industry Advocacy Group and later pulled out of a meeting of the Cloud Computing Caucus Advisory Group on Capitol Hill.
But the new FedRAMP Accelerated borrows many of the concepts laid out in the Fix FedRAMP position paper, particularly the need for greater transparency, and a more streamlined process that costs far less money.
“FedRAMP is the right tool, it’s the tool that’s necessary,” said GSA Administrator Denise Turner Roth, who gave the opening remarks at the FedRAMP Accelerated event. “We want to ensure that it is here to stay.”
“We are evolving to meet your needs,” said Ashley Mahan, FedRAMP’s recently hired agency evangelist. Mahan assured industry attendees that the agency wants what CSPs want from the FedRAMP process—”greater certainty of success, more transparency, faster speed to authorization, and predictability in time frames.”
Goodrich acknowledged that speed was not one of the original goals of FedRAMP, but made clear that the program would remain diligent in its focus on security. “It was supposed to be secure and high quality. We were more concerned that the systems we were authorizing were secure,” he said. “We will never trade rigor for speed.”