A fast lane for FedRAMP

The Federal Risk and Authorization Management Program is being retooled in hopes of dramatically shortening the time it takes to get a cloud service reviewed and approved for agency use. 

FedRAMP Director Matt Goodrich detailed the changes -- which came after a six-month review of the current processes that involved discussions with more than 80 different stakeholder groups -- at a March 28 kickoff event at the General Services Administration headquarters in Washington.

The most notable change is a shift to surveying cloud service providers' capabilities upfront rather than requiring and then reviewing extensive, expensive and time-consuming documentation. Goodrich unveiled a proposed new FedRAMP Readiness Capabilities Assessment that he said CSPs could complete in less than a month -- and have the FedRAMP program management office review within a week. GSA is accepting public comments on the new method until April 29.

The FedRAMP process has sometimes frustrated cloud service providers and agencies alike, largely because of the time and cost that securing a provisional authority to operate can entail. The fastest FedRAMP approval to date took five month, Goodrich said, and most reviews are now taking nine to 18 months. 

While resource constraints are part of the problem -- Goodrich noted that this is the first year the CIOs from GSA and the Departments of Defense and Homeland Security, who make up FedRAMP's Joint Authorization Board, have dedicated funding for their FedRAMP efforts -- the main issue seems to be the documentation-driven process. 

"The way that industry and the way that government were approaching the authorizations," Goodrich said, "we were following two different paths."

On the government side, he explained, the FedRAMP team was looking at documentation "to try and understand a CSP's system," and then using that to identify any gaps and instruct the CSP on changes that need to be implemented in order to provide the needed capabilities.

For the cloud providers themselves, however, "you know what the capabilities are," Goodrich said." CSPs look at their systems, identify what they need to do to meet federal requirements, implement those changes -- "and then you document."  

The new approach, he said, is all about putting the FedRAMP program management office "on the same path" that CSPs are using.  "We want to understand capabilities up front too," Goodrich said.

The new process, called FedRAMP Accelerated, will require CSPs that want to work with the Joint Authorization Board for FedRAMP approval to have a third-party assessment organization, or 3PAO, conduct the initial capabilities assessment before diving into detailed documentation.  If the 3PAO gives the cloud service passing marks, and the FedRAMP team agrees, that CSP would be declared “FedRAMP ready” -- a designation Goodrich said would then "really mean something" and give agencies confidence that the service would be approved for use in relatively short order.  

The CSP would then be required to complete a full FedRAMP Security Assessment before moving on to the Joint Authorization Board for approval.  That too is a change from the current approach, but one that Goodrich said was key to ensuring faster approvals. 

The new process is currently being tested with three CSPs:  Unisys, Microsoft and GSA’s 18F. Claudio Belloli, the FedRAMP program manager for cybersecurity at ‎GSA, said the trials began earlier this month and will continue until June or so. Assuming no major problems, the new method would then be rolled out for other providers.

The new approach should trim the overall approval time down six months, Goodrich and Belloli said -- and possibly to as little as three months.  And that, in turn, would give agencies access to a broader range of CSPs more quickly.

Agencies, of course, are able to sponsor their own FedRAMP authorizations as well.  The new approach is only for Joint Authorization Board reviews, Goodrich stressed. Agencies are not required to use the new approach, but he said the hope is that they will see the benefits and follow suit.

The third path to FedRAMP approval, however -- the so-called "CSP Supplied" process, where a provider tests and documents without a government sponsor -- is going away.  CSPs with such efforts already underway can submit completed packages until April 29. After that, they will have to shift to the Joint Authorization Board/FedRAMP Accelerated approach -- a path that Goodrich said would likely be both faster and cheaper.