Federal officials are considering ways of automating risk assessments and security authorizations for cloud products and services, now that a recent call for public feedback has ended.
The Federal Risk and Authorization Management Program (FedRAMP) Management Office launched an Ideation Challenge in July seeking input from industry, academia and agencies on how to improve procedures.
In 2011, the Office of Management and Budget established FedRAMP to authorize and continuously monitor cloud service offerings across agencies. While some agencies have streamlined authorizations, chief information officers and cloud providers continue to complain the process takes months, if not years, and should be automated.
“With the resources that it takes to bring a product to market, that particular certification, it has to create an innovation gap for agencies,” Ranil Dassanayaka, a senior director at VMware, said Wednesday at the software company’s Public Sector Innovation Summit, produced by FedScoop. “[T]hey may have new tech they really want to use but may not have the appropriate certifications available at the time it’s important.”
The FedRAMP program management office is “very aware” of the authorization timelines and closed the Ideation Challenge within the last month — having received more than 60 responses, said Ashley Mahan, the program’s acting director.
Now the PMO is reviewing the results and evaluating which parts of its process — preparing providers for authorization, ensuring security requirements are met and continuous monitoring — can be made more efficient.
“We’re looking to see where we can make things simpler, where can we provide clearer guidance and where can we automate within those three stages,” Mahan said.
Mahan told FedScoop her office plans to create a fiscal 2020 roadmap starting with “quick wins” on the path to automation, though those wins aren’t being publicized yet.
“And we’re also naming more strategic line items, as well, that we can work toward in the future,” she said.
Meanwhile, agencies like the U.S. Marshals Service continue to perfect their procedures as well.
Christine Finnelle, chief technology officer at the law enforcement agency, said it creates its own five-year roadmaps by following National Institute of Standards and Technology guidelines and working with industry to identify emerging tech.
“Because it’s not just the new technology, but it’s also sometimes new ways that the users are consuming that technology that drives the difference in how you need to approach security,” Finnelle said.