The Federal Risk and Authorization Management Program’s year-old plan to streamline the authorization process for cloud service providers has proven to be such a success that officials say wait times have been slashed.
But that doesn’t mean that some federal agencies haven’t tried to find their own way to the cloud.
“It is the one [cloud authorization process]. It is a requirement, but I can’t sit up here and say that I haven’t worked with agencies that have asked cloud service providers to do different things, ” FedRAMP Agency Evangelist Ashley Mahan said at the Amazon Web Services Public Sector Summit on June 14.
“That is absolutely is very frustrating for me because, at FedRAMP, we have a very specific framework. We have a unified framework that benefits the cloud service provider and the agency, that makes the agencies’ lives easier. It’s everything an agency needs to make that risk-based decision.”
Though it's celebrating its fifth anniversary this week with improved metrics for the authorization process, FedRAMP has worked to make the federal government’s push toward cloud computing more efficient.
With the power to authorize which cloud service providers agencies could buy from, the office has taken heat in the past for the time it took for CSPs to attain FedRAMP approval.
FedRAMP Accelerated debuted in March 2016 as an option to speed up the authorization process by distilling extensive documentation down to a three-step process: a FedRAMP Readiness Assessment, a CSP Security Package Development and the authorization process from the Joint Authorization Board, which accredits the FedRAMP’s cloud standards.
FedRAMP Program Manager for Cybersecurity Claudio Belloli said at the AWS summit that the FedRAMP Accelerated process has reduced the wait for cloud authorizations to three or four months, which is down from a previous estimate of 12-18 months.
“We’re happy that it worked,” he said. “We rolled it out, and that is now the JAB process.”
Belloli also said that a new initiative, FedRAMP Connect, has helped smooth the process further by having the JAB evaluate CSPs in demand by government agencies and that
can demonstrate they meet certain criteria
“There’s a limited amount of resources even on the [Program Management Office] side,” he said. “We can get up to 12 CSPs in here through the JAB, so we want to make sure we are picking the right 12 and it’s the right product in demand by departments and agencies.”
He added that FedRAMP is also looking at agency needs for continuous diagnostic monitoring in the cloud and are talking to CSPs, agency partners and the office’s third party assessment organizations about their criteria for CDM evaluations.
That, coupled with the anticipated summer release of FedRAMP Tailored — the office’s strictly low-risk software-as-a-service baseline authorization — provides numerous lanes for CSPs to speed to authorization.
Though FedRAMP is celebrating 107 agencies engaged and 82 CSPs authorized through its process, Mahan said she and the office are available to assist and educate CSPs looking to navigate the process.
“At the end of the day, we are all working together to move to secure cloud in the most efficient way possible,” she said.