Earlier this spring, the Federal Risk and Authorization Management Program (FedRAMP) announced sweeping process changes in an effort to accelerate the accreditation of cloud solution providers (CSPs) to better meet agencies’ needs. The intent of the announced changes is to reduce the time and cost associated with receiving accreditation. This article will examine the potential pros and cons of FedRAMP’s new approach and discuss critical considerations for CSPs to successfully navigate the changes.
The Reported Advantages:
Speed: According to GSA, CSPs currently fill out hundreds of pages of documents and turn them over to the FedRAMP office for vetting. Currently, the vetting takes on average between three to nine months to complete just to earn the FedRAMP Ready Status. The fastest FedRAMP approval to date took five months, while most reviews are now taking nine to 18 months. The proposed FedRAMP Ready changes suggest CSPs can earn an ATO in under six months, possibly three. Needless to say, this is a fundamentally better timeline for many CSPs that need accreditation as part of their route to market.
Stronger Capability Assessments: Currently, documentation reviews are lengthy and don’t necessarily involve a direct view of the CSP’s systems and security controls. Under the proposed process, a 3PAO will provide the initial system analysis. This real-world analysis may remove some of the risks for the government of going through the program.
The inclusion of a Capability level is the strongest outcome of this change. By clearly defining the assessments for CSPs, the FedRAMP PMO could in the near future look at the success or failure of CSPs in retrospective terms. CSPs also have a clear measure how they may promote or distinguish their system.
Figure 1: FedRAMP Readiness Capability Level Factors Showcase
Some Potential Limitations:
Fewer accreditation options: The FedRAMP PMO is eliminating the CSP Supplied compliance path. In addition, not all CSPs will be allowed to go through the P-ATO or FedRAMP Accelerated paths anymore. The P-ATO path will likely be used less and less and if a new, innovative CSP has the opportunity to have an agency review their package, the P-ATO path may not be used at all. The CSPs that do not meet the outlined criteria will have a really hard time getting accredited or may fall behind their competitors, leaving them at a substantial market disadvantage.
Increased need for documentation and added (hidden) costs: As most companies doing business with the government know, more documentation does not necessarily equal more security. At the same time, compliance documentation increases costs to CSPs in the following areas:
- Overhead for documentation or consultant help in documentation to meet the FedRAMP standards and processes.
- Clearly, large businesses or technology innovators with deep pockets or more generous investors will more likely have fewer hurdles to the Federal market. Small businesses and new innovators are likely to struggle because they will need sufficient investment to meet capability levels prior to earning any revenue.
- Additional 3PAO costs for the CSP related to the FedRAMP Readiness Assessment Guidance (RAG).
- Additional 3PAO risks and costs for the real and potential liabilities related to attestation. This includes the liabilities a 3PAO may face from the CSP and the costs of defense related to suggested credibility issues from the FedRAMP PMO, especially if a breach or leak of CSP data occurs after having been through FedRAMP Ready.
- Potential political costs for the FedRAMP PMO if CSPs have accomplished FedRAMP Ready but are not approved or viewed by the FedRAMP PMO as worthy for selection to the P-ATO JAB process. The cost to the CSP would be frustration and inability to unplug government sales of innovative, new solutions.
Regardless of the accreditation path a CSP is taking, the FedRAMP process is all about understanding and demonstrating security and documentation due diligence. CSPs need to understand their strengths and weaknesses vis-à-vis the requirements and proactively work with their selected 3PAOs to close security gaps.
Maria Horton is CEO of EmeSec, an accredited 3PAO supporting customers in adopting the cybersecurity and risk mitigation best practices they need to build competitive advantage in today’s connected world. Since 2003, the company has been working with government and private sector organizations to help them protect their missions, reputations, and growth engines, while harnessing the power of security and automated technologies.