The FedRAMP program has provided more authorizations to software-as-a-service (SaaS) applications and reduced the time to authorization in the last three years of the program, according to an analysis of the program.
The analysis, performed by cybersecurity firm Coalfire, found that FedRAMP authorities to operate (ATOs) have shifted heavily towards SaaS in the last two years.
“Only 47 percent of ATOs granted in the first years of the FedRAMP program were issued to CSPs [cloud service providers] with SaaS applications … From 2017 to 2019, 77 percent of ATOs granted under the FedRAMP program were issued to CSPs [cloud service providers] with SaaS applications,” the report found.
The report also took a look towards the future, anticipating more ambitious migration efforts from agencies, revisions in agency cloud policies to better align with FedRAMP, and potential legislation to put the FedRAMP program into law.
There’s also room for FedRAMP to keep growing.
“Our best estimate indicates that more than 50 percent of Federal agencies do not yet participate in FedRAMP,” the report notes.
With initiatives such as FedRAMP Tailored supporting authorizations for SaaS and aiming to speed up authorizations, the rise in SaaS has also come with a reduction in wait times.
“Time to FedRAMP authorization (from the time of assessment initiation by a CSP) decreased from 12 t0 16 months in early 2016 to as little as six months in late 2018/early 2019, with the average time taking nine to 12 months as of early 2019,” the analysis found.
The decline in authorization time also comes in the midst of CSPs moving towards agency approval over Joint Authorization Board approval. The report found that while 47 percent of authorizations from 2013 to 2016 went through the Joint Authorization Board, only 16 percent went through the same process from 2017 to March 2019.