Pentagon Will Default To Trusting Other Agencies’ Cloud Security Assessments

Within a month, the Defense Department—one of the most risk-averse agencies in the federal government—will be trusting other agencies’ assessments of cloud vendors’ security for middle-tier products and services.

Every software and service running on a federal network or hosting an agency service must meet a security baseline, certified through an authority to operate, or ATO. The Federal Risk and Authorization Management Program, or FedRAMP, was established to assist with this mandate, but the program has been mired in long wait times and heavy cost burdens for companies applying for authorization.

“What was supposed to be an expedited process—six months, maybe costing a quarter of a million dollars—instead, in many cases, took years—and takes years—and can cost companies millions of dollars, the very opposite of what FedRAMP was designed to achieve,” Rep. Gerry Connolly, D-Va., said during a hearing Wednesday held by the House Oversight Subcommittee on Government Operations. “We can’t leverage the potential of cloud computing if the processes are slower than the speed at which the technology itself advances.”

One of the biggest promises of FedRAMP that has yet to be fully realized it the sharing of agency authorizations—i.e., if one agency certifies a cloud service as secure, other agencies should be able and willing to accept that authorization without additional reviews.

This sharing—often call “reciprocity” in the ATO community—has been scant in the eight years the program has been active. Many agencies and program managers are reticent to reuse authorizations for fear the accrediting agency might have missed something or has a different set of requirements, standards and uses for the service.

Officials from the White House, Capitol Hill and the FedRAMP program office have been pushing for agencies to reuse ATOs more over the years, with only partial success. The Defense Department is looking to change that with an upcoming agencywide policy, according to Deputy Chief Information Officer for Cybersecurity Jack Wilmer, who serves as the department’s chief information security officer and also has a seat on the interagency FedRAMP Joint Authorization Board, or JAB.

To date, the department has approved use of 140 cloud services with provisional ATOs, only 20 of which required additional review. Going forward, that will be the Pentagon’s default position, Wilmer told the committee.

“We will now issue a general provisional authorization which will cover any cloud service offering that has been assessed at the FedRAMP moderate baseline. This means that cloud service providers will not have to wait for a separate DOD authorization to have their services used for DOD public data,” he said.

This will be the policy departmentwide within the month, he added.

“We are fully committed to reciprocity. There’s a massive incentive for us in having that reciprocal arrangement with FedRAMP,” Wilmer said. “Going through those 325 [controls] at the moderate baseline, as an example, which is something that the FedRAMP program takes on for us, is something we no longer have to do in order to leverage those cloud services.”

Wilmer noted the Defense Department does have additional security concerns compared with other agencies, but those required controls can be assessed on top of the authorization work that has already been completed.