2016 in review: FedRAMP gets a facelift
Matt Goodrich debuted several significant changes during 2016 to the Federal Risk and Authorization Management Program, including the new Accelerated process for authorizing cloud service providers.
FedRAMP was designed to serve as a “do once, use many times” framework for assessing the security of cloud providers, but coming into 2016 the private sector was dissatisfied with how long it was taking them to go through the process. With the new Accelerated program, FedRAMP Director Goodrich hoped to fix that.
Accelerated debuts
Announced in March, the FedRAMP Accelerated program completely changed the way companies were authorized.
[Read more: Exclusive: FedRAMP embraces the need for speed]
Cloud service providers who want to earn FedRAMP compliance now have to complete a capabilities assessment with a third-party assessment organization, or 3PAO, before the FedRAMP office considers them for the FedRAMP Ready list. Additionally, if a cloud service provider is to earn FedRAMP certification through the Joint Authorization Board, it must be considered FedRAMP Ready and have completed a full security authorization package with all testing finished.
Before Accelerated debuted, to earn FedRAMP Ready status cloud service providers had to fill out hundreds of pages of documents and turn them over to the FedRAMP office for vetting, which took on average between three to nine months to complete.
Under the new plan, providers that want to become FedRAMP Ready can go through what Goodrich says is a stronger capability assessment.
First company authorized under Accelerated
Microsoft’s Customer Relationship Manager Online in September became the first company to be authorized under that new method, doing so in just a fraction of the time the program used to take.
Goodrich said the cloud service provider received a provisional authority to operate on Sept. 22 after only 15 weeks. Before moving to the accelerated process, getting authorized took anywhere from nine months to two years, Goodrich told FedScoop at the time.
The goal for the new accelerated process was to get companies authorized in less than six months, he said.
Getting authorized in less than four months is an “aggressive and fast” timeline, Goodrich said, given the number of security controls that need to be examined.
A big driver in the reduced timeline, Goodrich said, was moving from an initial documentation-based assessment before assessing capabilities to the program’s new FedRAMP readiness assessment that focuses initially on capabilities validated by a third-party assessment organization.
The last provider authorized before Microsoft took 40 weeks to move from documentation reviews to capability reviews, whereas it took Microsoft only 10 weeks, according to a blog post by Goodrich.
Two other organizations are currently going through the accelerated process: Unisys with its Secure Private Cloud for Government and Edge for Government products, and 18F with its Cloud.gov service.
Goodrich told FedScoop at the time he expected both to be authorized by the end of the calendar year. But according to the FedRAMP website, the two have not yet been authorized.
[Read more: FedRAMP accelerated authorizes first provider in 15 weeks]
High-impact security baseline
On June 23 the program debuted its high-impact security baseline, which allows federal agencies to store highly sensitive information on any cloud service provider once it’s been given the FedRAMP seal of approval — provided certain controls are in place.
The baseline, which has been in the works since January 2015, adds 100 security controls on top the program’s moderate impact level. With 421 controls in place, the baseline allows agencies to update more mission-critical legacy systems by moving to the cloud.
“Around half of IT spend is around protecting the 80 percent of data that is low to moderate” impact levels, Goodrich told FedScoop at the time, adding that spend went into the operations and maintenance of legacy systems, including the cost of owning data centers.
“We are now able to break into that other 50 percent of high impact systems so agencies can move that over to the cloud and realize the efficiency of the cloud,” he said.
[Read more: FedRAMP finally releases high-impact security baseline]
Looking ahead
Goodrich said the program’s goal is to double in fiscal year 2017 the number of cloud services and authorizations.
The fiscal year 2017 goals, unveiled Nov. 7, also included formalizing efforts to connect agencies with each other and industry in a program called FedRAMP Connect, redesigning its continuous monitoring processes and creating tailored baselines for specific use cases.
[Read more: FedRAMP targets improvements in continuous monitoring, community in 2017]
FedRAMP will introduce in 2017 tailored baselines for low impact software-as-a-service offerings, Goodrich said.
As FedRAMP has grown, Goodrich said his team has noticed that “one-size-fits-all models work well for” infrastructure-as-a-service and platform-as-a-service offerings. But software-as-a-service offerings could be used for something as simple as a project management tool or something more complicated like an enterprisewide email and communications, and unified messaging solutions, Goodrich noted.
The first tailored baselines will focus on low-risk, low-impact SaaS solutions that officials think can “have a tailored process that will allow agencies to authorize them in a less burdensome manner than sort of these enterprisewide solutions that would be used for more types of uses and more types of information,” Goodrich said.
FedRAMP officials also want to redesign continuous monitoring processes, introducing automation wherever possible and looking more generally to make the process less burdensome on government and industry, Goodrich said.