First FedRAMP Accelerated Authorization Takes 15 Weeks

Two weeks ago, FedRAMP Director Matt Goodrich told an audience authorizations sped up significantly under the cloud security program’s new FedRAMP Accelerated approach, and today Goodrich’s team released some numbers to back up those statements.

In a blog post, Goodrich announced its first cloud service provider—Microsoft Customer Relationship Manager Online—received the first provisional authority to operate by FedRAMP’s Joint Authorization Board through the Accelerated process in 15 weeks.

Compare that to the 104 weeks—two years—it took the previous CSP to attain an ATO through FedRAMP’s old waterfall, documentation-heavy approach.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

“FedRAMP Accelerated is showing major returns on decreasing authorization timeframes,” Goodrich said in the post. “While there are a lot of reasons why this authorization was faster, there are two key elements to the process that enabled an authorization in under four months: CSP readiness prior to the authorization process demonstrated through capability assessments and an iterative review approach for the authorization process.”

To be clear, taking two years to attain an ATO isn’t common—Goodrich told Nextgov in an interview the average time from kickoff to authorization was between 12 and 18 months—but those lengthy times to market were the primary reason FedRAMP received a hefty dose of criticism from industry and others. In any case, 15 weeks is significantly faster than any authorizations FedRAMP did prior to taking steps to improve.

FedRAMP shaved a big chunk of time off the authorization process by focusing less on thousands of pages of documentation and more on CSP capabilities validated by third party assessment organizations. For comparison’s sake, the same CSP that took two years to get an authorization spent about 40 weeks on documentation alone; Microsoft Customer Relationship Manager Online spent about 10 weeks on capability reviews.

In the post, Goodrich said an iterative review process for authorizations also sped things up.

“Previously, the JAB review process was focused on a waterfall-like approach designed with key stage gates­ focusing on documentation, then testing, then reviews of risks,” Goodrich said. “The new FedRAMP Accelerated process, with capabilities and risk assessments upfront, enable the JAB to complete faster, more iterative reviews allowing for key questions or concerns to be raised faster and up front in the process.”

Two other organizations in the FedRAMP Accelerated pipeline—Unisys solutions Secure Private Cloud for Government and Edge for Government as well as 18F’s Cloud.gov—are following similar timelines, suggesting FedRAMP Accelerated’s early success with Microsoft isn’t a one-hit wonder.

The decreased time to federal market is likely to have a positive effect on cloud service provider’s bottom lines, allowing them to see returns on their investments to get products ready for government use much quicker. In addition, CSPs should spend far less money on assessors, consultants and their internal teams through the decreased time on documentation alone, Goodrich said.

Goodrich told Nextgov the increased speed to market won’t negatively impact security. Focusing on capabilities over documentation and incorporating continuous monitoring and real-time reviews is better for both the government and cloud service providers’ bottom lines.

“I actually think we have better security [with the new model],” Goodrich said. “We’re focusing on what is actually important on the compliance side, and what capabilities are in place for these vendors.”