A Federal IT industry advocacy group today published a six-step plan to reform the government’s cloud security certification process known as the Federal Risk and Authorization Management Program (FedRAMP)—a process that many say is fundamentally broken.
“Despite the allure of cloud, the government’s process of acquiring cloud computing services is in need of a major facelift,” according to a position paper by the FedRAMP Fast Forward industry advocacy group titled Fix FedRAMP: A 6-Point Plan. “Nowhere is this more evident than in the process of assessing and certifying a Cloud Service Provider’s (CSP) products and services for security.”
The position paper is the result of seven months of collaboration between members of the FedRAMP Fast Forward industry group, including cloud service providers (CSPs), third-party assessment organizations (3PAOs), Federal agencies, and officials from Capitol Hill. MeriTalk has participated in those meetings.
Launched in 2011, the goal of FedRAMP was to standardize the government’s approach to conducting security assessments, authorizations, and continuous monitoring for cloud services. But government agencies and CSPs have voiced concerns in recent years about the efficiency of the program, as well as the perceived lack of effectiveness and transparency. “The real promise of FedRAMP—embodied in the “certify once, use many times” framework—has been jeopardized by what has become a costly and time-consuming process that lacks transparency and accountability,” the paper states.
Two years ago, the prevailing wisdom held that the time and cost for industry to obtain a FedRAMP Authority to Operate (ATO) was nine months and $250,000. Today, those figures can reach as as high as two years and $4 million to $5 million, according to the Cloud Computing Caucus Annual Report. The increasing costs and lack of transparency into why some succeed in obtaining an ATO and others fail have led to significant fears that the FedRAMP program could have a negative impact on cloud adoption throughout the Federal government.
“Both agencies and vendors lack information they need to make educated decisions. CSPs are blind to their status in the approval process and what they need to do to move forward, and agencies lack insight into where authorized cloud solutions are operating,” the paper states. “CSPs have expressed confusion about program and documentation requirements, which points to a need to have the PMO clarify guidance, improve feedback mechanisms, and expand training. In fact, there is so much confusion in the government ranks that many agencies are simply not accepting ATOs granted by other agencies.”
The problems with FedRAMP are many, said Steve O’Keeffe, founder of MeriTalk. “It costs too much, it takes too long. CSPs in the process don’t know their status and CSPs trying to get in, don’t know how,” he said, writing in a blog post Monday. “There’s mass confusion about the merits of the three paths to a FedRAMP ATO – JAB, agency, and self certification. CSPs are afraid to raise issues publicly for fear of reprisals from the PMO. The program’s unscalable – the PMO spends as much on continuous monitoring for the current approved CSPs as it does on managing all new applications in process. Fix the program or it’ll fall under its own weight. We can’t afford to wait – it’s time for action on FedRAMP 2.0.”
To that end, the Fix FedRAMP plan calls for the following:
- Normalize the certification process. CSPs can take several routes to an ATO, and not all are seen as equal, which fundamentally undermines the value proposition of the FedRAMP program
- Increase transparency about the approval process, what it takes to gain approval, and the time and cost involved
- Harmonize security standards, so that CSPs can meet some FedRAMP requirements through compliance with existing international and privacy standards
- Reduce the cost of continuous monitoring for CSPs that have achieved an ATO
- Enable CSPs to upgrade their cloud environments while remaining compliant with FedRAMP requirements
- Help CSPs map their FedRAMP compliance to Department of Defense (DoD) security requirements, rather than forcing them to start over again to obtain the ability to provide cloud services to DoD
Just two weeks after being briefed privately on the content of the Fix FedRAMP paper, FedRAMP Director Matt Goodrich posted a blog Jan. 20 in which he promised action on various industry concerns.
“We’re taking your feedback to heart. During the coming weeks and months, we’ll be making some major changes based on your feedback,” Goodrich wrote. “Things are going to happen quickly,” he said.
According to Goodrich, the FedRAMP program management office will be focusing on four key improvements:
- Increasing the speed to authorization
- Increasing transparency
- Piloting a high baseline
- Promoting FedRAMP reuse
“Seems Matt Goodrich and his team listened,” O’Keeffe wrote in response to Goodrich’s post. “Let’s hear it for change — if the FedRAMP PMO’s up for change — we’re excited to work with them. If this is just window dressing to ward off criticism, we’ll ensure to hold their feet to the fire.”