The cloud times – they are a-changin.’
As the disruptive potential of cloud computing continues to evolve, so too will the standardized approach federal agencies take to ensure the cloud computing service providers they ink deals with meet security standards, according to the officials who run the program.
That approach – the Federal Risk and Authorization Management Program, or FedRAMP, has gone through more than a few tweaks over the past few years.
But on Dec. 17, the General Services Administration will present its most concrete plans for the future of FedRAMP, releasing a “FedRAMP Forward” road map that addresses how the program will develop over the next two years.
Officials say they’re focusing on three goals in the FedRAMP re-think: increased compliance and agency participation, improved efficiencies and continued adaptation.
While the first two goals are focused on increasing the speed with which agencies continue to adopt cloud services, the last goal may perhaps be the most important if only because technology changes by the minute.
“Cybersecurity is changing on the hour-to-hour, minute-to-minute basis,” said FedRAMP Director Matt Goodrich at a roundtable with reporters Tuesday. “We have to be making sure we’re continuing to adapt.”
The goals outlined in the FedRAMP Forward release are accompanied by six-month deadlines. Deliverables of note include:
- Baseline metrics for FedRAMP – not restricted to PortfolioStat data
- Training modules for FedRAMP that target specific stakeholders, such as third-party accrediting organizations, cloud service providers and agencies
- The launch of FedRAMP agency working groups
- The creation of automation requirements for documentation
- The reuse of other IT standards within FedRAMP
- FedRAMP overlays that allow for compliance assessments across various other IT initiatives, including IPv6 and HSPD-12 requirements for smart cards to access federal networks.
In addition, the FedRAMP program office will soon issue a draft high baseline for nonclassified systems with uniquely sensitive data under the Federal Information Security Management Act. The baseline may be issued in January, but would require periods of public comment before its implementation.
During the roundtable, Goodrich said FedRAMP’s program office will apply lessons learned over the past few years. But he was also quick to tout the program’s successes. According to GSA, more than 27 cloud service providers are compliant with FedRAMP, with more than 160 FISMA implementations across government covered under those authorizations.
A “conservative estimate” of cost savings achieved through the reuse of these authorizations is $40 million, while total costs for the program tally up to $13 million, according to a GSA release.
Still, critics of the program fault how long it takes for vendors to achieve accreditation.
Achieving compliance with FedRAMP through any of three avenues, including a Joint Authorization Board Approval or an agency authority-to-operate, takes anywhere from nine months to a year. While those times can be streamlined to perhaps six months, FedRAMP will not sacrifice the rigor of requirements and security simply for the sake of speeding solutions through the pipeline, according to Kathy Conrad, acting associate administrator of GSA's Office of Citizen Services and Innovative Technologies.
“FedRAMP has never been quick,” she said.
But while FedRAMP may never be a fast program, the program office’s latest update suggests it will be much more flexible going forward.