Federal Risk and Authorization Management Program (FedRAMP) Director Matt Goodrich on Thursday said the cloud security program has established a solid foundation, but that the program needs to determine whether changes are necessary so it can continue to mature.
“If we were on an S-curve, we’re still on our first S-curve,” Goodrich said. “We (have) spent a lot of time doing the research, trying to build it. We built a program. We built some processes. It’s been working. It’s been working well. I think right now we’re at a point where…everyone’s aware that we’re not scaling exactly the way we would like to scale. …We’re doing an internal look at all of our processes and trying to figure out a way that maybe we could do it differently.”
FedRAMP has established and institutionalized cloud security for Federal agencies since it opened for business more than three years ago. The program also continues to grow rapidly. FedRAMP reported more than 1,400 uses of cloud computing across the Federal government when it issued an update of its operations in August.
But the FedRAMP Program Management Office (PMO) continues to hear concerns that the process takes too long.
“I think right now it works really well. Would everyone like it to move faster? Yes,” Goodrich said atCloud Connect 2015, an event hosted by MeriTalk.
Goodrich introduced the notion of “fail fast.” That means turning away cloud service providers (CSPs) if they are unprepared to go through FedRAMP, even if they submit paperwork seeking certification.
“I like the ‘fail fast’ term. Get feedback fast and know exactly what you need to do,” Goodrich said. “So how do we make sure we can understand your abilities faster, and you understand what you have to do faster, so we can give that feedback…faster? So that’s what we’re trying to do.”
The FedRAMP PMO has said it will introduce automation to assist with some of its internal work to review CSP submissions, but that some of the burden to speed up reviews lies with CSPs.
“Do I think it requires a lot of government work to make (FedRAMP) move faster? Not necessarily. I think that requires a lot of work on industry’s part to make sure you come prepared,” Goodrich said.
FedRAMP has developed exhaustive new guidance for CSPs and Federal agencies seeking approval of cloud computing solutions. Its “Review and Approve Process” represents an attempt to standardize the cloud program’s complicated certification process.
The change was necessary because of the growing number of applications for review and the quality of applications. The PMO hopes clearer rules and improved guidance result in better documentation from CSPs and agencies.
The standard operating procedures outline the process in great detail to help CSPs and agencies understand the PMO’s process for reviewing authorization packages. The PMO also has drafted an elaborate chart to help CSPs and agencies visualize the process.