The General Services Administration announced a new challenge July 24 aimed at improving the security authorization process for cloud service providers seeking to contract with the federal government.
The Federal Risk and Authorization Management Program’s Program Management Office, or FedRAMP PMO, is soliciting ideas from stakeholders on how to fix numerous challenges that cloud service providers and agencies face in receiving approval from FedRAMP to use cloud products.
“More agencies than ever now adopt secure cloud technologies and FedRAMP strives to continuously improve how we support our customers,” said FedRAMP acting Director Ashley Mahan. “In an effort to enhance and evolve our program, the FedRAMP PMO seeks to leverage the power and insights of the cybersecurity community.”
FedRAMP’s main task as an organization is to standardize the federal government’s approach to security assessment, authorization and monitoring of cloud products.
The news release from GSA’s Technology Transformation Service said that it was looking to make the authorization process “shorter, simpler, less costly, and more likely to be reused” by other agencies. GSA is “seeking ideas to reimagine” the authorization process.
GSA identified several challenges it faces with the current authorization process: time, cost, reciprocity and awareness. In terms of reciprocity, GSA wrote that a major issue is that agencies aren’t accepting FedRAMP authorizations and require additional security controls, which it said “loses sight of FedRAMP’s intended 'do once, use many’ goal.” It also said that misconceptions of the program dissuade agencies and cloud service providers from entering the authorization process.
At a congressional hearing last week, industry leaders reiterated to Congress that the FedRAMP authorization process was too costly and the timeline for approval too long. One small business owner said that some small businesses probably can’t afford to go through the process without an agency sponsor.
“This challenge provides FedRAMP’s stakeholders and the cloud security community at large the opportunity to directly inform and contribute ideas in support of a new approach to risk assessments and security authorization for cloud products and services,” GSA wrote on the challenge web page.
Submissions are due to firstname.lastname@example.org by Aug. 22.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.