Industry: Include Agencies’ Approval of Cloud Service Providers in FISMA Metrics

The General Services Administration largely agrees with industry-endorsed recommendations for improving the Federal Risk and Authorization Management Program meant to hasten the government’s use of cloud service providers, according to a GSA official who noted efforts to introduce transparency into how long agencies are taking to approve submissions.

“We’re substantially in agreement with the report,” said Anil Cheriyan, deputy commissioner of GSA’s Federal Acquisition Service and director of Technology Transformation Service. “We’ll also be working on managing the timeline, end to end.”

Cheriyan spoke Friday at an event hosted by the Center for Cybersecurity Law and Policy where the group released a number of recommendations in a report derived from conversations with current and former government officials as well as cloud service providers involved with FedRAMP— the process that looks to ensure their offerings include appropriate cybersecurity controls.  

FedRAMP administrators have come under pressure from multiple directions as industry bemoans a lengthy, overly manual and subjective review process that the Government Accountability Office reported many agencies sidestep entirely.  

Legislation to codify FedRAMP passed the House Feb. 6 with $100 million included to add more automation to the reviews.

“Establish and report [Authority To Operate]-related metrics via annual [Federal Information Security Management Act] reporting to provide accountability,” was a key recommendation of the paper released today.

Cheriyan defended the “core” approval process within GSA, saying that had actually improved, but he said more needed to be done to manage entities outside the agency’s control. 

“We’ll need help from the agencies and from [the Office of Management and Budget], from a policy standpoint, measuring those timelines and really making sure that those are transparent and clear,” he said. 

One industry representative at the event noted skewed incentives for agency authorizers making their way through the review process and said it would be good to find a policy carrot that could shift those. 

“No one ever gets called up to the Hill because they approved something faster and did a really good job,” said Joseph Stuntz of Virtru. “They get called up because something bad happened, they had a security incident.”

In general, the proponents of a more expedient FedRAMP approval process said agency authorizers should be risk conscious rather than risk averse. 

The principle of risk management assumes that, with limited budgets, organizations must make strategic choices about where to put resources and where to accept risk, ideally based on changing threats.

“The risk appetite has been a challenge,” the Center for Cybersecurity Law and Policy’s John Banghart said introducing the recommendations, which advise: “Consolidate and standardize the process for risk acceptance across the federal government.”

Cheriyan, a former CIO of Suntrust, agreed on this point and said across GSA there will be a 50% increase in risk assessment training by the end of the year. 

“Understanding enterprise risk frameworks is near and dear to my heart,” he said.