When Maria Roat became director of the Federal Risk and Authorization Management Program a year ago, the program was just in its initial operating mode.
Under her watch, FedRAMP has evolved into a fully functioning program and today boasts more than a dozen approved cloud service offerings for agencies’ use. FedRAMP sets baseline security standards for federal cloud services.
“I am working with the Joint Authorization Board, all the technical representatives and with the team outreach to the agencies, to the cloud service provider and really moving the program forward, looking downstream at what is coming up and what should we be planning for,” Roat said.
Come June, cloud services in use at federal agencies must meet FedRAMP security requirements. The Office of Management and Budget says it will work with agencies through existing oversight processes to measure and analyze progress in meeting the June deadline.
Roat sat down with Federal Times staff writer Nicole Blake Johnson to discuss FedRAMP’s progress and future milestones. Following are edited excerpts.
What FedRAMP accomplishments over the past year are you most proud of?
Roat: My charge and my task coming in here was to get it to full operation, and we did that. There were a lot of tasks up underneath that; everything from standardizing processes, procedures to how long it takes a cloud provider to go through [FedRAMP], and we standardized our approach. Really all of that work as well as privatizing the third party assessor organizations, making sure we have got clear guidelines. If you have ever worked in any of those kinds of environments or seen it, really putting those processes and procedures into place, the baseline… That’s a lot of work moving through all of that. Taking our lessons learned and really moving the cloud providers through the process. We got quite a few through the pipeline last year and we have got many more coming in. I really think standardizing what we do as we move from IOC to full operation that was really instrumental. Certainly privatizing, like I mentioned, the third party assessment organizations, that was always part of the plan through the FedRAMP program and starting in March with the cut off and then going all the way through the selection and privatizing that with A2LA, I think that was a big piece and big accomplishment last year.
When did the responsibility for accrediting third party assessment organizations [3PAO] transition to American Association for Laboratory Accreditation?
Roat: In early November. That is when they started accepting applications. We maintain the governance and the oversight, but they are doing the actual work that we were previously doing with NIST.
How has that transition freed up your staff?
Roat: I had contractors supporting me with the three 3PAO package reviews here, and there were three people at NIST who were working the packages as well. That was really the team that was doing all of the reviews for everything. The NIST folks will continue doing their other work around the accreditation and all of the standards and security; all of the things that they were doing previously.
Is the government paying A2LA to do this work?
Roat: Not at all. We are not paying them to do that. A2LA does charge a fee. If you look at the accreditation process like for labs and other standardized things like that, A2LA does charge a fee for the 3PAO’s to maintain their accreditation.
Has FedRAMP delivered against its key goals, including accelerating the adoption of secure cloud solutions through the reuse of assessments and authorizations?
Roat: When you look at that piece, we certainly have…what…ten cloud service providers? There are thirteen offerings out there for services. Are we accelerating these options? Yes, because we have agencies reusing those authorizations. When you look Interior, they have issued [authority to operate] against a number of the infrastructure providers and we have other agencies that are reusing the authorizations including DISA. They granted an ATO to Autonomic Resources. Accelerating the adoption of secure cloud solutions? I think we have met that, as well as standardizing the authorization process for the cloud service providers. Part of the acceleration is that cloud providers only have to go through the authorization once. They do not have to do it each and every time with every agency. They do it once with our office or with an agency and it gets reused.
Is there a goal for how many agencies actually reuse the work, or provisional ATO packages being done through FedRAMP?
Roat: We do have some targets on that, but that piece is hard because we have to get the agencies to do the work on issuing the ATO letter. While we know which agencies are using some of the cloud service providers, the process takes a little bit because they actually have to type up the ATO letter. Sometimes, even though we send them a template it takes a little bit.
Another FedRAMP goal is increasing confidence in security of cloud solutions. How do you measure whether that was a result of FedRAMP?
Roat: I think with the rigor and the depth that we go through on our reviews here within the program management office and with the joint authorization board doing the reviews, the technical reviewers as well as my information system security officers, we go into so much detail, so much depth and rigor that when agencies are looking at those packages they are going, “Wow. These are really, really good.” They are actually leveraging work that we have done. I think part of the increased confidence is the trust we have built with the agencies that the work we are doing is good.
How has FedRAMP increased automate and near real-time data for continuous monitoring of cloud systems?
Roat: We were doing a lot of things manually. We do have a system in place for continuous monitoring now where we have started automating some of our dashboards, reporting, tracking and those kinds of things. We are working on that now. We hit a couple of snags this fall just with networking. I do not want to get in the weeds on it. It was just technical issues. Anyway, we had a couple of delays so we are in the testing process right now for a system for continuous monitoring. We have been doing continuous monitoring all along. We have been working with the cloud providers on the monthly deliverables that they do, their quarterly, their annual but we have just been doing more of a manual process than fully automated.
What security information do agencies receive from cloud vendors?
Roat: From an agency standpoint, the cloud service providers do give us monthly data. So, when you look at the concept of operations, the cloud providers are on a schedule. They do provide us data once a month on these scans and what they are doing, and we do track the plans of actions and milestones, the POAM items. That information is available to the agencies in our secure repository. They can look at it and if they have questions they come and ask us.
Security is so dynamic I imagine things could have changed since a report was last issued?
Roat: Potentially. That is why we work very closely hand in hand with the cloud service providers because if there are any changes in the risk posture they will let us know if something changes or something happens. We have the requirements with the cloud providers. They have monthly, quarterly, semiannual and annual deliverables. On top of those, we have weekly meetings with the cloud providers. We do not want to risk posture changes if something should happen. While they are delivering their monthly scans and those kinds of things, we are continually in contact with them, and we would know if something changed. We just do not have every day data coming in. That is not part of our requirements right now.
Agencies do not have real-time visibility into a provider’s security posture but must rely on reports, right?
Roat: They do not have that visibility because it is the cloud providers that are operating. They are doing the work. They are providing the service. They are providing the operations. We need to make sure that the risk posture does not change. If you need to get into continuous diagnostic monitoring, that is going is a separate conversation. You know, what is going on downstream six or twelve months from now and the work John Streufert at [DHS’] National Protection and Programs Directorate . We work pretty closely with them, but you have to understand there is going to be a line drawn. What is the agency responsibility, versus what is cloud service provider responsibility? That is a different topic.
What type of data are the cloud service providers reporting?
Roat: They are giving us scans; monthly scans. We are getting reports on it as they scan all of their systems. Now, during the month, if there is an incident where they have had an attack or something like that we have processes and procedures in place for notification and escalation through to notifying US-CERT if applicable.
How many current cloud services are in use at agencies today that do not meet FedRAMP requirements?
Roat: I am going to answer this indirectly. We are in the middle of doing analysis based on what the agencies have reported in PortfolioStats and based on what information we know from other sources and looking at which cloud providers the agencies are using, which ones are authorized by the Joint Authorization Board and which ones are agency authorized. We are doing the analysis on what exactly the cloud posture looks like out there. We have a pretty good feel for certainly the big providers that we are working with, who their customers are and agencies are doing a lot of work with the cloud service providers. Getting our arms around which ones have been authorized and which ones have not, we are right in the middle of all of that work right now.
Is that something you plan on completing before June?
Roat: Oh yes, definitely. I have some preliminary numbers that I still have yet to bring to the Joint Authorization Board. I am not quite ready to go in front of them yet. Like I said, the first PortfolioStat the numbers were not great as far as the six questions related to cloud. The second one was better. The third one had more reporting in there that looked a little bit better. The accuracy is getting a little bit better, but we have used that data and we have used what we know and we have built out a matrix for doing the analysis on that now.
What happens after June 2014?
Roat: Most of the agencies are really coming on board now, and we are getting many, many more questions about the June 2014 deadline. Many of them that are actively using cloud service providers are working with their cloud providers to really make sure that they either meet that date or they are in the process. We have had a lot of questions from the agencies that say, “Well, what if I am in the middle of the process with the cloud provider?” I said, “If I can justify to the OMB and show them that you are in process, you guys are O.K.,” but I have to show that there is forward progress that an agency is working with a cloud provider or that the cloud provider is working with my office. As long as we know that they are in the queue, that they are working and progressing towards either a provisional authority to operate or an ATO, they will be okay. We worked with the CIO council. Dave McClure has queued it up for reminders with the CIO’s about the June 2014 date several times.
How will products and services be re-certified under FedRAMP?
Roat: We have got two cloud providers that are in their one year mark for their provisional ATO. Autonomic Resources and CGI Federal. We have already started back in December the annual testing process for both of them. When you talk about the re-certification and annual testing process, we are already in the middle of that with Autonomic Resources and CGI Federal. We started the annual testing process; what needs to be tested, what controls need to be tested, we started working that last fall certainly with the prep work because these are our first two. We want to make sure we get it right working with the first two. It takes a good month or so and then even the pre-work ahead of that making sure we are testing the right controls takes a couple of weeks.
What does the June deadline mean for companies that want to start working in the federal cloud space?
Roat: If a vendor has not started the process with us or does not have any customers yet there are three avenues. Cloud providers can certainly hire a 3PAO and provide us with a submitted authorization package that says, “I have done everything. I think I am up to par, and I have a 3PAO test,” and just put it in our [FedRAMP] repository to be reviewed. There is that third avenue that the cloud service provider supplies that says, “You know, I think I am going to get work in a year or I think I am going to get work in six months and I just want to have a package ready to go,” they can certainly do that. It is just that my office has not looked at it, meaning the program management office or an agency has not reviewed it yet.
If you go back to the OMB memo and you look at what the requirements were for June of ’14, it spells out that any new procurements that agencies have had…any existing services that agencies had have to be FedRAMP authorized by June of 14, and any new procurements have to have the FedRAMP language in it. Everybody says, “Oh, I have to be authorized by...” All of the agencies that have been using cloud service providers had to have them authorized by June of ’14. Anybody else that is in process that is working towards or anybody new coming in, a new business coming in, certainly they can submit a package to us and we can start working with them.
So, if I start up a new company in November and I say, “I want to do business with the federal government, I want to submit something to FedRAMP,” I can do that?
How will FedRAMP transition to updated security requirements in NIST Special Publication 800-53 Revision 4?
Roat: We reviewed NIST Rev. 4 baseline when it came out. We put 800-53 Rev. 4 out there for public comment the entire month of July. We had really, really good feedback on that. We worked through what we think the baseline will look like. We have not come out with it publicly, yet. We are waiting on NIST to finish up the test cases. They should be coming out within probably 30 to 60 days was the last word I got right before Christmas.
What will the adoption of updated security standards mean for companies that have already gone through the FedRAMP process?
Roat: There is a transition process. We will incorporate Rev. 4 in the annual testing for the cloud providers that already have their provisional ATO. Certainly, anybody new coming in once we release the baseline will have to use the new one. There are almost three pieces to it: the ones that are new coming in to us, the ones that are in process and then the cloud providers with provisional ATOs.
What are the biggest challenges ahead for FedRAMP?
Roat: We do have a number of things in the hopper for FY14. Definitely the 800-53 Rev. 4. When you talk about some of the shorter-term things that are going on that is definitely on our radar to get that out there. For the longer-term goals it would be maturing the program and really working with the agencies and making sure they understand how the layering and stacking of the cloud providers and the interaction between the cloud providers works. As cloud brokers are implemented, what that landscape is going to look like with the cloud brokers because there are different models of brokers.
Can you address the perception that FedRAMP is not sufficient for some agencies, such as DoD?
Roat: When you look at DISA, they authorized Autonomic Resources. I think there were 14 or 16 controls, or enhancements or changes that DISA made [to FedRAMP]. It was not that many. The perception is that DISA is going to put on a huge amount of requirements on top of the FedRAMP baseline, and that has not been the case to date. When you are looking at the moderate level, we work very closely. DISA has people that are part of our review team for the packages. As a cloud provider is going through the process, DISA is actually part of our team, part of the JAB team that is looking at and reviewing the packages. One of the things we are really looking at is making sure that…we are trying to get away from us doing the review and DISA doing a second review. How do we capture all of the things on the front end because it is only a handful of control enhancements or different parameters that need to be changed for DISA, and the cloud providers are already doing it.
How might DISA’s additional controls be incorporated into FedRAMP?
Roat: What we are doing for Rev. 4 is we looked at what the DISA requirements are above and beyond the FedRAMP baseline, and there are some enhancements. It is not huge. We are looking at how we can incorporate that into Rev. 4 so that while the review is ongoing that DISA is looking at it and incorporates the requirements as well because it is not that many on top of [FedRAMP].