Federal Cloud Forecast Getting Brighter: FedRAMP Evolving

The forecast is looking brighter for FedRAMP.

The FedRAMP Project Management Office (PMO) has worked to make the cloud procurement more transparent and more efficient. At June’s Cloud Brainstorm event, Congressmen Will Hurd (R-Texas), Gerry Connelly (D-Va.), and FedRAMP leadership from the General Services Administration (GSA) shared perspectives on progress to date and what’s ahead.

Most agree that the FedRAMP Accelerated program, which modified how the FedRAMP Joint Authorization Board (JAB) authorizes cloud service providers (CSPs) to make the process significantly faster and more predictable, has eased concerns and is driving positive change. Rep. Connolly said legislators are pleased with FedRAMP’s progress, sharing, “It wasn’t that long ago that we were feeling pretty dire about how FedRAMP was proceeding. Significant improvements have been made.”

An independent study of FedRAMP from May 2017 found that six agencies have used at least 20 CSPs approved under FedRAMP, and that there was an 80% growth in the use of FedRAMP certifications.

That said, industry representatives continue to see the reluctance of one agency to accept another agency’s Authority to Operate (ATO). While agencies are willing to go through the process to get a CSP approved by FedRAMP, contributing to the overall growth in certifications, one agency doesn’t necessarily trust a CSP brought through the process by a different agency, as each agency IT head has a different set of internal standards and guidelines. This is a significant issue, but leadership recognizes the challenges are driven by factors beyond the FedRAMP program.

Matt Goodrich, FedRAMP program director, says that given FedRAMP’s budget, it is neither realistic nor prudent for every vendor to go through Joint Authorization Board (JAB) approval. JAB must be reserved for cloud services that are truly government-wide.

Under the Federal Information Security Act (FISMA), the CIO is the sole individual responsible for accepting cyber risks for their own agency. Acceptable risk for one agency may not translate to acceptable risk for another.

What’s ahead for FedRAMP? The goal is to get to a point where a vendor holding one ATO can go through an even more accelerated process as they apply for the next. Hopefully, the FedRAMP program will continue to streamline and evolve.

FedRAMP can also serve as a driver for cloud adoption beyond federal agencies. Joe Moye, senior vice president of public sector, Virtustream, says, “The state and local government market creates an opportunity to leverage the FedRAMP platform beyond federal agencies. The focus on expediting some of the process is crucial.”

FedRAMP will play a vital role as agencies focus on digital transformation and modernization. It’s important we continue to engage in productive public/private dialog and work together to ensure agencies have the best and most secure cloud options.

Learn more about Dell and Dell Technologies FedRAMP-approved cloud services:  http://www.dell.com/learn/us/en/uscorp1/press-releases/2016-04-25-dell-cloud-for-us-government-meets-security-standards and http://www.virtustream.com/cloud/virtustream-federal-cloud/.

Cameron Chehreh
About Cameron Chehreh
Cameron Chehreh currently serves as Chief Technology Officer for Dell EMC Federal. In this role, Cameron is responsible for developing and executing strategy, corporate development, leadership, and driving innovation for Dell solutions for the Federal Civilian, U.S. Department of Defense and Intelligence Community customers.
One Comment
  1. Anonymous | - Reply
    Mr. Chehreh, Of those 20 CSPs, how many were small business that went through the accelerated program? Chances are not any! While FedRAMP has grown, it has failed to address the small business CSP providers and has placed, in some cases, undue burden. Smaller agencies have yet to truly engage FedRAMP, even less understand the process and furthermore are still reluctant to be a sponsoring agency. There's an educational gap that is yet not addressed and while the acceleration program may work for the mid to large size CSPs, it fails miserably for the smaller CSPs. So I ask, how many small to mid-size CSPs have been afforded the opportunity to receive JAB or go through an accelerated process?

Leave a Reply

Archives