After Facing ‘Hard Truths,’ FedRAMP Director Pledges Changes to Cloud Security Process

General Services Administration

The office responsible for cloud security authorization will publicly roll out a revamped and redesigned FedRAMP on March 28.

The Federal Risk and Authorization Management Program office is taking steps to address “hard truths” that have emerged over the last six months – namely, stakeholders who aren’t happy with the speed or transparency with which cloud security authorizations are taking place.

The General Services Administration headquarters, which hosts the FedRAMP program office, will publicly roll out a revamped and redesigned FedRAMP on March 28 in what FedRAMP Director Matt Goodrich said will signal a shift from listening to concerns to acting on them.

Goodrich listed the hard truths in a March 10 blog post announcing the summit, and told Nextgov in an interview the next iteration of FedRAMP will address “every limitation we have.”

The FedRAMP staff, he said, has spent the past few months getting feedback. The next upcoming months will be about executing a redesign of the 4-year-old FedRAMP program.

“Four years ago, there was no FedRAMP, and if we could create a new process four years ago, why not create a new one now?” Goodrich told Nextgov.

The two most important issues to be addressed are increasing the speed of security authorizations and providing more public visibility into the FedRAMP process, Goodrich said.

As part of the overhaul, FedRAMP officials hope to complete authorizations in less than six months. The FedRAMP website will host a public dashboard to detail agency use, cloud service provider authorizations and where vendors are in the pipeline.

Funding Boost Could Help

Historically, the FedRAMP program – a staff of four federal employees and 25 contractors – had only received funding through GSA’s Office of Citizen Services and Innovative Technologies.

The 2016 fiscal budget marked the first time the three Joint Authorization Board chief information officers and their staff -- security professionals from GSA and the departments of Homeland Security and Defense who review vendors’ cloud solution packages -- received direct funding to support FedRAMP.

The funding roughly tripled the resources available to each JAB agency to directly support JAB authorizations, according to Goodrich.

The budget boost will ensure JAB security professionals aren’t just reviewing FedRAMP packages on a voluntary or part-time basis.

Those additional resources should aid FedRAMP’s efforts to reduce authorization times, even as demand on the program increases: In the last six months, there has been a 50 percent increase in FedRAMP authorizations – from 40 to 60.