A Revamped FedRAMP Revealed

The Federal Risk and Authorization Management Program announced Monday how it plans to speed up authorizations without risking security, publicly introducing a FedRAMP readiness capabilities assessment.

The goal of the revamped process is essentially to allow vendors to demonstrate the capabilities of their cloud solutions early on in the FedRAMP process rather than the current scenario in which thousands of pages of cloud security documentation precede any demonstration of capabilities.

According to FedRAMP Director Matt Goodrich, who spoke Monday at a FedRAMP event at the General Services Administration's headquarters, the old approach has proven time consuming, and as time has gone by, more duplicative and less effective as more cloud service providers attempted to have their offerings meet FedRAMP’s requirements.

In this revised FedRAMP, third-party assessment organizations will play a more prominent role in cloud-security vetting, performing onsite assessments of a cloud service provider's system, the results of which will be documented in a FedRAMP readiness assessment report.  

“The goal of this is to allow vendors to demonstrate their capabilities faster through an assessment by a 3PAO than through documentation reviews by the FedRAMP PMO," according to draft language posted Monday for the FedRAMP Readiness Assessment Report Template and an accompanying document, the FedRAMP Readiness Assessment Guidance for CSPs and 3PAOs. "This will in turn enable CSPs and agencies to achieve FedRAMP authorizations faster without negatively impacting risk and quality of security packages."

The public will have through April 29 to comment on the new language.

Goodrich said the new process should significantly reduce the cost and time it takes for cloud service providers to go through the FedRAMP pipeline. In recent months, the FedRAMP PMO came under criticism as authorization times jumped to more than 12 months.

Under the new scenario, a cloud service provider could earn “FedRAMP-ready” status in weeks, allowing it to market its solutions to agencies while concurrently going through still-mandatory documentation reviews.

On Monday, Goodrich also announced FedRAMP will cease the “CSP supplied” route to meeting the program’s requirements. This road map, Goodrich said, was the least successful blueprint for agencies to actually meet FedRAMP standards. In the supplied route, cloud service providers would have thousands of pages of documentation drawn up and assessed by a third-party assessment organization and submitted to the FedRAMP office.