The changes also focus on increasing transparency and promoting FedRAMP reuse.
The small office responsible for standardizing the government’s cloud computing security requirements is planning “major changes” to the Federal Risk and Authorization Management program, aimed at speeding up the often months-long vetting process.
FedRAMP Director Matt Goodrich announced the move in a Jan. 20 post on the General Services Administration’s blog.
The changes will focus on “four key improvements,” including upping the speed to cloud security authorizations; increasing transparency; piloting a Federal Information Security Management Act-high baseline set of standards; and promoting FedRAMP reuse.
Officials had first teased the changes in a December 2014 “FedRAMP Forward” roadmap, laying out plans for how the cloud-vetting process would change over the next couple years.
The overall goals are streamlining the 4-year-old program and accelerating agencies’ cloud migrations, Goodrich said.
Speed, he said, is key. The quickest authorizations to operate, Goodrich said, have taken six months, which is “too long” considering today’s cloud systems can be set up in days or “sometimes even minutes.”
To improve transparency, Goodrich said the FedRAMP team will develop a public dashboard by spring that will provide important data – which agencies are using FedRAMP, a list of authorized cloud service providers, a cloud service provider pipeline and what services are available to agencies – in a “searchable, downloadable and easy to find” format. This feature could reduce the time cloud newbies in government take to get up to speed on what’s available to them.
FedRAMP is also piloting a FISMA-high baseline for higher-level security systems with select cloud vendors, while simultaneously finalizing the requirements for such high-impact systems.
Those requirements could be wrapped up by the end of this winter, Goodrich said. The high baseline wasn’t much sought after early in FedRAMP’s inception, but it’s become more requested by agencies like the Department of Veterans Affairs that operate sensitive systems, he said.
Finally, Goodrich said his office wants to promote FedRAMP reuse. To do that, it has added a member to the team, Ashley Mahan, who will “complete an agency roadshow over the next three months.” Mahan will be meeting with agencies to identify how they using FedRAMP and types of cloud service providers they’re interested in, Goodrich said.
These changes aren’t random but stem from feedback gathered by the FedRAMP team over the past six months from agencies, industry experts, program managers and others, he said.
“We’d like FedRAMP to become as true of a partnership between the federal government and industry as possible—and we want the FedRAMP authorization process to clearly reflect this,” Goodrich said in the post. “We need the continued engagement of both government and industry. So stay involved. We promise to continue to respond and iterate to ensure we’re meeting your needs.”