Why we're better with FedRAMP
- By Rick Barnard
Amid recent criticism of the Federal Risk and Authorization Management Program -- that its controls are not strong enough, that its compliance rules do not ensure security and that it actually makes it harder for agencies to move to the cloud -- many in industry have lost sight of all the gains FedRAMP was enabled. It provides standard controls or processes for agencies to evaluate or share. FedRAMP saves significant time, money and resources, and it deliers enhanced security visibility through standardized continuous monitoring reports and risk-based security management.
We all owe a debt of gratitude for FedRAMP's dedication in support of enabling federal -- and state and local -- government agencies to access and adopt cloud services. Understanding the program’s impact is imperative.
Here are four reasons why FedRAMP's accomplishments should not go unnoticed:
- FedRAMP offers multiple routes to authorization. Cloud service providers have three paths to authorization. The most commonly used is to gain provisional authority to operate (ATO) from FedRAMP's Joint Authorization Board. Alternatively, a company can be granted an ATO by an agency.Lastly, although no companies have used this method to date, a CSP can work independently with a FedRAMP-accredited third-party assessment organization (3PAO) to complete all required documentation, testing and security assessments.Costs tend to vary widely depending on the path, but all the approaches result in the same end goal: FedRAMP authorization and an opportunity to sell cloud products and services in the federal market.
- FedRAMP encourages built-in security. There is a significant investment required for companies to meet the government’s security standards, as there should be. It takes time and money, but the size of that investment depends on how prepared a company is before embarking on the FedRAMP process. Services built with government security at their foundation can make it through FedRAMP approval much faster and at much lower costs than commercial services that must be retrofitted.
- FedRAMP makes it easy for agencies to share ATOs. CSPs go through the FedRAMP process only once. Government agencies have different information standards and requirements, and therefore, each will want to review a CSP's ability to meet those needs. Fortunately, the FedRAMP portal offers a quick and easy way for government officials to review a CSP's FedRAMP package, 3PAO assessment results, ATO letters from other agencies and more.
- FedRAMP has broad appeal. FedRAMP is expanding beyond only serving the federal government, with state and local agencies showing interest in the program. California officials are currently awaiting approval to use FedRAMP to minimize the risk to state data and constituent information and as a way to provide those constituents with a secure platform.
Many other state and local governments are beginning to follow in California’s footsteps, showing early indications of FedRAMP's long-term accomplishments.
Although FedRAMP has developed fast, it has remained comprehensive. It has also served the intended goal of qualifying government-ready service providers and sharing ATOs across agencies. Its accomplishments are real and should not be tarnished by those who are not ready or who want to make noise for financial gain.
Rick Barnard is head of Huddle's U.S. Public Sector.