FedRAMP accelerated authorizes first provider in 15 weeks
Microsoft’s Customer Relationship Manager Online last week became the first cloud service provider to receive Federal Risk and Authorization Management Program authorization through its new “accelerated” program, doing so in just a fraction of the time the program used to take.
[Read more: Exclusive: FedRAMP embraces the need for speed]
FedRAMP Director Matt Goodrich said the cloud service provider received a provisional authority to operate on Sept. 22. after only 15 weeks. Before moving to the accelerated process, getting authorized took anywhere from nine months to two years, Goodrich told FedScoop.
The goal for the new accelerated process was to get companies authorized in less than six months, he said.
Getting authorized in less than four months is an “aggressive and fast” timeline, Goodrich said, given the number of security controls that need to be examined.
A big driver in the reduced timeline, Goodrich said, was moving from an initial documentation-based assessment before assessing capabilities to the program’s new FedRAMP readiness assessment that focuses initially on capabilities validated by a third-party assessment organization.
The last provider authorized before Microsoft took 40 weeks to move from documentation reviews to capability reviews, whereas it took Microsoft only 10 weeks, according to a blog post by Goodrich.
Goodrich also noted that moving from a waterfall approach — first looking at documentation, then testing and reviewing risks — to a more agile, iterative review process cut down on time to authorization.
Two other organizations are currently going through the accelerated process: Unisys with its Secure Private Cloud for Government and Edge for Government products, and 18F with its Cloud.gov service.
Goodrich told FedScoop he expects both to be authorized by the end of the calendar year.