FedRAMP reforms would streamline cloud adoption
- By Michael Carter
Government agencies' increasing use of cloud solutions is not only likely, it will also get easier if new legislation introduced on July 26 by Reps. Gerry Connolly (D-Va.) and Mark Meadows (R-N.C.) passes. The bill, known as the FedRAMP Reform Act of 2018, would provide many needed improvements to the Federal Risk and Authorization Management Program, better known as FedRAMP. The proposal aims to increase cloud service providers' efficiency while also helping to eliminate redundant processes, such as agencies requesting new assessments for services that have already been adequately completed by third-party assessment organizations and certified by the Joint Authorization Board.
FedRAMP: A solid start, but more is needed
In 2011, the federal government established FedRAMP to ensure that security was at the forefront of any discussion about how agencies should move to the cloud. The governmentwide program offers a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. The result of a successful FedRAMP authorization process is a Joint Authorization Board Provisional Authority to Operate (JAB P-ATO). It means the CSP has demonstrated its cloud service meets the government security requirements, and multiple agencies can reuse the FedRAMP authorized service -- what the General Services Administration called “approve once, use many times.”
While labor-saving re-use has always been the intent, in practice, agencies often ignore the work that has been done by the JAB and start their cloud certification process anew, bringing inefficiency to the process and adding costs. The Connolly-Meadows proposal attempts to break this logjam by promoting reciprocity to the maximum extent possible with the goal of encouraging agencies to look favorably upon prior security assessment work. In other words, JAB P-ATOs are to be considered adequate, and reworking assessments is discouraged.
By providing what the bill terms a “legal presumption of adequacy,” the hope is that the spirit of FedRAMP’s mantra “approve once, use many times” will finally be a reality. FedRAMP could also benefit from more standardization, metrics and tracking and better defined roles and responsibilities across all participating entities.
How would FedRAMP change?
An important outcome of the legislation is that the FedRAMP would be codified in statute, protecting program investments already made by CSPs. It would establish metrics for certifications, such as the time, cost and quality of assessments, providing a uniform framework in which agencies can be more confident. The bill also clearly defines roles and responsibilities for the Office of Management and Budget, FedRAMP Program Management Office, the Joint Authorization Board, third-party assessors and federal agencies.
The legislation, if passed, would also provide funding through the Acquisition Services Fund for the FedRAMP program (though amount of funding is not specified), which should allow the program to do more and speed the time to market for FedRAMP-authorized CSPs.
Several proposed changes would improve the standardization, accountability and trackability of FedRAMP activities and government cloud usage. These changes include requiring that:
- The PMO develop a summary risk report template for 3PAOs to complete.
- JAB agencies appoint technical representatives.
- 3PAOs develop certification programs for individuals who lead assessments.
- Agencies provide data on how they are meeting metrics defined by the PMO, their cloud computing usage, ATO activity and potential demand for cloud to the FedRAMP director.
For full market transparency, the FedRAMP director would be required to submit an annual report on the status, efficiency and effectiveness of the FedRAMP program, the time it took to grant ATOs, automation progress, the number of cloud systems in use and the number of cloud ATOs.
The value in improving FedRAMP
Cloud solutions continue to proliferate in the private sector. As government agencies work to modernize their IT environments, more CSPs are evaluating the business case for going through the FedRAMP process to offer their solutions to public-sector agencies.
FedRAMP is already widely adopted: To date, more than 100 cloud service offerings from CSPs have achieved FedRAMP authorization, with another 70 in the queue and more considering how to approach the program daily. FedRAMP benefits the government as well, improving agencies' efficiency in adopting cloud solutions, saving an estimated 30 to 40 percent in government spend while reducing the staff time required to perform redundant agency assessments.
But FedRAMP can be improved for all parties. This legislation should aid in driving efficiencies, improving standardization and tracking and ensuring appropriate cybersecurity controls exist for agencies looking to modernize their IT environments and migrate to cloud-based services.
Michael Carter is vice president of FedRAMP assurance for Coalfire.