An update to the cloud-vetting program is in the works.
The director of the General Services Administration’s cloud-vetting program office is continuing to promise faster authorizations for cloud security packages, one of a number of changes initially laid out back in January.
The changes will be reflected in a six-month update to the Federal Risk and Authorization Management Program to be released in the next week or so, according to FedRAMP Director Matt Goodrich.
The changes focus on four areas: speeding up cloud security authorizations; increasing transparency; piloting a Federal Information Security Management Act-high baseline set of standards; and promoting FedRAMP reuse.
Speed, however, is perhaps the most important.
“I believe every authorization can happen under six months,” Goodrich told an audience at the Adobe Digital Government Assembly.
Goodrich said some authorizations were taking “12 to 18 months, and that’s not where we want to be.”
An examination of “pain points” revealed a heavy focus on documentation rather than the functionality and capability of cloud service providers, something Goodrich said will change. Up to 70 percent of the time to assessment “was being spent looking at documentation,” which, he said, is actually “the weakest part of actually viewing a cloud provider.”
“I really care about their capabilities and that they’re not a risky system,” he added.
Goodrich also addressed criticism the FedRAMP office has received in recent months from some industry voices, some of which have released their own recommendations for improving FedRAMP.
“For a long time, everyone was super happy with FedRAMP, then we started hearing some grumblings, and I don’t like it when people don’t like me, so I wanted to hear what people were saying,” Goodrich said. “Thankfully, everyone is pretty honest and frank with us. What we heard is they wanted a little more transparency in the process.”
FedRAMP’s improvements will include measures to bolster transparency, including transparency dashboards on the FedRAMP website.