The future of FedRAMP

As acting director of the General Services Administration's Federal Risk and Authorization Management Program, Matthew Goodrich is tasked with both enabling and encouraging agencies to embrace the standardized governmentwide framework for cloud security.

FCW's Mark Rockwell spoke with Goodrich about the progress to date and the outlook for 2015. Below are excerpts of that conversation, edited for clarity.

What is the outlook for FedRAMP in 2015? What are the priorities?

In the next six months, you'll see a two-year road map that will highlight our priorities over the next six, 12, 18 and 24 months. One of our key focus items is going to be making sure that we engage with agencies much more directly and help them complete and achieve more FedRAMP [authorities to operate] and make sure they're FedRAMP-compliant.

You'll also see us publish a lot more guidance, education and training modules for our stakeholders -- first in a more generic, open-to-everybody manner and then more directed at specific stakeholder groups as we continue to expand the knowledge base and training.

You'll also see us focus on the efficiencies of the program, incorporating lessons learned back into our documentation. Also, we're looking at how effectively we're using our [third-party assessment organizations'] work product to cut down some of our review cycles based on the quality of the products they've delivered to us, as well as aligning cloud providers with the most appropriate path for them to get authorization, whether that's the Joint Authorization Board, through the agency or directly through the [cloud service providers].

We will continue to grow, mature and adapt the program. We'll continue to work with the [Continuous Diagnostics and Mitigation] program at [the Department of Homeland Security], so that we're aligned as we move forward. We'll also work with the [Trusted Internet Connections] program, as well as finally beginning to address the high [security] baseline that our stakeholders have been asking for for a while.

How many agencies have achieved FedRAMP compliance? What is your advice for agencies trying to attain compliance?

Our insight into compliance is through PortfolioStat reporting and analyzing that data, as well as looking at some other data points provided by service providers that we're working with or through other data, like [Federal Information Security Management Act] reporting. So we have a pretty good grasp of what agencies are doing.

I think, though, that we are going to be directly engaging with agencies more to help them bring either those existing authorizations up to FedRAMP compliance or understanding if they've already come up and they haven't shared them with the [program management office]. I think there's probably some of that happening, too.

We have to really make sure we're engaging with our agency stakeholders to help them more efficiently upgrade their existing authorizations or get them to work with their current cloud providers to work through an authorization. We have to make sure they understand the value of FedRAMP across the federal government and what it enables.

What has been FedRAMP's greatest strength? What's most encouraging?

I started on the federal cloud computing initiative five years ago, and everyone at that point said the cloud wasn't secure. I think it can't be underscored enough that FedRAMP actually shows that cloud is something the federal government can use securely.

In a little over two short years being in operational programs, we've been able to show that 160 business systems reside in FedRAMP-authorized systems, as well as demonstrate roughly $40 million in savings [compared to the cost] if each one of those had been authorized individually.

Just underscoring the value of the fact that the cloud is secure and can be used -- coupled with reuse and overall cost savings in just the short amount of time we've been up -- I think is one of the biggest strengths we can show.

There has been criticism of the FedRAMP process as burdensome and prone to bottlenecks. How would you respond to those criticisms?

That's why we're trying to engage with our agencies more directly so they understand the process and the intent behind it.

FedRAMP didn't intend to change the processes by which agencies authorize IT systems. We wanted to ensure that agencies did it consistently between one agency to another so the federal government had a standardized way to assess risk in a cloud environment [and] so agencies could reuse it.

In making sure agencies fully understand what it means to be FedRAMP-compliant, I still think there is some confusion out there about what it takes to do that and the varying levels of review.

Is there a little bit of fear, too -- a fear of the unknown?

Culture change is not unique to the IT landscape. There's always going to be an amount of culture change, and anytime you outsource something to another entity, there's going to be some hesitance.

However, we've been able to show that government agencies can do it and have sustained levels of security.

How do you explain FedRAMP's complexities to federal agencies?

That is the challenge. FISMA is complex, and what we're focusing on is making sure it's clear and straightforward. If you try to simplify FISMA and FedRAMP, you miss some of the nuances.

What we're trying to do with our guidance is make sure that complexity is communicated in a very clear, straightforward way so that it's easy to follow but not that it is something that is overly burdensome or too hard for agencies to do.

We're looking to...engage with agencies that think it's daunting or really complicated, and walk them through the process and make sure they understand exactly what it is.

Is there anything people will be surprised to see in the new two-year road map?

I don't want to say no because that makes it sound like everyone knows what we're doing. I think it's what you would expect with any program that's at our maturity level.

We're roughly two-and-a-half years in. We reached our mandatory compliance date in June, so we're trying to make sure that that compliance number goes up and reaches the highest it possibly can. We're going to focus on some key initiatives around that.

You had mentioned there are some criticisms of FedRAMP being overly burdensome or taking too long, so we want to make sure it's truly as efficient as possible, without lessening the rigor of the security assessments. We will continue to grow it out. We don't want to be a stagnant program.

Those are some of the key goals. I don't think any of that would be shocking. Those initiatives will make it much more clear.

What is the current compliance rate?

Through the PortfolioStat data that we have, we would estimate that agencies are anywhere from 25 percent to 40 percent compliant.

What else can you tell our readers about what they should be doing or what they should expect from FedRAMP?

We launched FedRAMP Ready [in October]. That's part of the PMO's goal of helping CSPs who are ready to begin an assessment and authorization with federal agencies. We're highlighting those CSPs on our website that have demonstrated the initiative to meet the federal requirements.

The providers that are listed there have gone through a readiness assessment by the GSA program management office. They have a baseline of documentation and are ready to begin with an agency [on] assessment and authorization. That's something we're excited about -- getting cloud providers through authorization faster.

Also, agencies are procuring more and more cloud services, so we're working to get out more specific guidance on how agencies should put FedRAMP into their contracts and what they should require from their cloud service providers.

How specific is the guidance?

Right now on the website, we have template contract clauses and template language. We're looking to expand that language for agencies when they're considering putting a contract out for cloud services.

We're seeing some procurements come out that show agencies requiring a FedRAMP authorization at time of award. With the number of CSPs that are authorized at the FedRAMP level now, it's hard to have a competitive marketplace for some services. It's a little unduly restrictive and premature to have those, so we're making sure we put guidance into the requirements so the contracting officers know exactly what it is agencies should be doing in terms of requiring FedRAMP authorizations, as well as when they can.

Is FedRAMP living up to its potential?

I think where we are at two-and-a-half years, absolutely. There's always room for growth, and we're excited to continue on the path that we've made.