FedRAMP Responds to Critics, Changes Course

matt GoodRich 2

The General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP) announced significant structural changes Monday to the way the government will certify the security of cloud service providers.

Known as FedRAMP Accelerated, the new process will sunset the CSP-supplied documentation path to obtaining FedRAMP Ready status. The last day for the old process is April 29. Under the new plan, CSPs will be required to undergo a capabilities readiness assessment by a third-party assessment organization (3PAO) prior to being placed on the FedRAMP Ready list. In addition, any CSP seeking certification through the Joint Authorization Board, known as the JAB, must already have obtained FedRAMP Ready status and have completed security assessment testing before kicking off the JAB certification process.

“We want to make FedRAMP Ready powerful,” said FedRAMP Director Matt Goodrich, speaking at a FedRAMP Accelerated launch event at GSA headquarters. “We want to make sure that if we say someone is ready, that there’s actual power behind that. This is something that industry is already doing–they call it a gap assessment. It’s not rocket science, so why aren’t we doing the same thing in government?”

Claudio Belloli, the FedRAMP program manager for cybersecurity, said the revised process leverages everyone’s strengths and that the JAB review teams at the Department of Defense, Department of Homeland Security, and the GSA will leverage new funding to ramp up collaboration. “Assessment…is an early indicator of the capabilities that are in place–not a notional system–a good indicator of risk posture and if they’re ready to go into the FedRAMP process,” he said.

FedRAMP Ready is “meant to give a high level of confidence which was lacking in our current process,” he added.

According to Goodrich, the new process will be easier, faster, and cheaper than the old CSP-supplied documentation process, and will make it easier for CSPs to sell to agencies. “The old process spent 70 to 80 percent of the time on reviewing documentation–that’s a lot of time to be looking at paper,” Goodrich said. The goal under FedRAMP Accelerated is to achieve FedRAMP Ready status within 30 days, and a Provisional Authority to Operate (P-ATO) within three to six months, he said.

The new FedRAMP Accelerated is currently being tested with the help of Microsoft, Unisys, and 18F’s Cloud.gov.

FedRAMp accelerated process
The goal of the new FedRAMP Accelerated process is to get cloud service providers through the security authorization process in  three to six months.

FedRAMP Accelerated comes just two months after a cloud industry advocacy group published a Fix FedRAMP position paper—a scathing assessment of the program’s shortcomings—and took their concerns to Capitol Hill, prompting lawmakers to promise closer oversight. GSA had refused to publicly comment on the paper by the FedRAMP Fast Forward Industry Advocacy Group and later pulled out of a meeting of the Cloud Computing Caucus Advisory Group on Capitol Hill.

But the new FedRAMP Accelerated borrows many of the concepts laid out in the Fix FedRAMP position paper, particularly the need for greater transparency, and a more streamlined process that costs far less money.

“FedRAMP is the right tool, it’s the tool that’s necessary,” said GSA Administrator Denise Turner Roth, who gave the opening remarks at the FedRAMP Accelerated event. “We want to ensure that it is here to stay.”

“We are evolving to meet your needs,” said Ashley Mahan, FedRAMP’s recently hired agency evangelist. Mahan assured industry attendees that the agency wants what CSPs want from the FedRAMP process—”greater certainty of success, more transparency, faster speed to authorization, and predictability in time frames.”

Goodrich acknowledged that speed was not one of the original goals of FedRAMP, but made clear that the program would remain diligent in its focus on security. “It was supposed to be secure and high quality. We were more concerned that the systems we were authorizing were secure,” he said. “We will never trade rigor for speed.”

Dan Verton
About Dan Verton
MeriTalk Executive Editor Dan Verton is a veteran journalist and winner of the First Place Jesse H. Neal National Business Journalism Award for Best News Reporting -- the highest award in the nation for business/trade journalism. Dan earned a Master's Degree in Journalism and Public Affairs from American University in Washington, D.C., and has spent the last 20 years in the nation's capital reporting on government, enterprise technology, policy and national cybersecurity. He’s also a former intelligence officer in the United States Marine Corps, has authored three books on cybersecurity, and has testified on critical infrastructure protection before both House and Senate committees.
8 Comments
  1. Anonymous | - Reply
    I really was hoping for more substance. Q&A was tightly controlled via note cards (!) and they seemed to stay away from the more challenging queries that I know several people asked. To make the timeline shorter, just cull out the part that often takes the longest and make that "customer time" and voila! 6-month ATOs! At least the 3PAOs got more billable time so it wasn't a total loss.
  2. Anonymous | - Reply
    How does this address concerns about agencies not accepting one another's ATOs?
  3. Anonymous | - Reply
    A lot of fluff!
  4. Anonymous | - Reply
    How does this address the SMB cost issues? Now potential CSPs have to "pay to play" with an increase in up-front costs. No guarantee at all for any savings on the back end. 3PAOs came out on top on this deal!
  5. Anonymous | - Reply
    I hope Meritalk is going to have follow up interviews with Congressmen Connolly and Lieu! I'd love to hear their take on this...
  6. Anonymous | - Reply
    Dan - You seem to think that Meritalks complaint paper had something to do with this- it didn't. Perhaps Meritalk should reconsider it's charter and stop acting like a angry young child.
  7. Anonymous | - Reply
    Good work never goes unnoticed. Can't please all of the 3PAOs all of the time. But this was an industry and government-sourced product, not a MeriTalk OP-ED.
  8. Dan Verton | - Reply
    Thank you. Yes, anybody who participated in the months of working group meetings knows that this was a product driven by industry and a not insignificant number of federal government IT professionals. There is no editorializing here at all. It also speaks volumes that GSA was briefed on the work many weeks prior to the final report being released, and pulled out of the Cloud Caucus meeting on Capitol Hill. I've been working in Federal technology journalism for 20 years, and this was as good as it gets -- candid input from sources with direct knowledge of what is happening and in-person acknowledgement from lawmakers that the final product got it right. The meeting on Capitol Hill was packed - standing room only. That speaks directly to the quality of the work that went into the report.

Leave a Reply


Popular

Recent