The Federal Risk and Authorization Management Program (FedRAMP) was set up to help agencies move confidently and securely into the cloud but the process has gotten bogged down under the weight of accrediting cloud service providers.
A new report out from MeriTalk analyzes the major causes of backlog and the extended authorization process and offers some ideas on how to fix these issues.
Report: Fix FedRAMP — A Six-Point Plan
"The real promise of FedRAMP — embodied in the 'certify once, use many times' framework — has been jeopardized by what has become a costly and time-consuming process that lacks transparency and accountability," the report reads. "Both government agencies and CSPs have voiced concerns about the efficiency of the program, as well as the perceived lack of effectiveness and transparency."
For instance, the report notes two years ago, the process took an average of nine months and cost CSPs around $250,000. In 2015, those averages rose to two years and as much as $5 million.
As the process drags on, CSPs have also cited transparency as an issue, often unaware of their status until the very end.
One method for speeding accreditation and reducing the backlog is allowing individual agencies to take on the process, a major part of the "certify once, use many times" philosophy. Unfortunately, that often leaves the agency that granted the authority to operate (ATO) with the responsibility for managing the authorization going forward.
The FedRAMP program office is working on a fix for that, including a current pilot to incorporate continuous monitoring responsibilities into what the JAB is already doing, taking it off the plate of other agencies.
"For Uncle Sam to break with the expensive and dysfunctional legacy addiction, we need a FedRAMP fix," said Steve O'Keeffe, founder of MeriTalk. "Fix the program or it'll fall under its own weight. We can't afford to wait — it's time for action on FedRAMP 2.0."
The report offers a six-point plan that, if followed could solve many of these issues.
1. Normalize JAB and Agency ATO Certification Process
According to the report, CSPs see a disparity between having a JAB certification and an agency ATO. To fix this, the report recommends creating a pathway for companies to graduate from an ATO to a JAB certification "when governmentwide demand is shown," among other actions.
2. Increase Transparency
The report suggests a number of ways to help CSPs figure out just how much an ATO will cost (whether through the JAB or an agency), including creating a dashboard and online portal for agencies and companies alike.
The authors also note the recent hiring of an "agency evangelist" is a good step in the right direction.
3. Harmonize Standards
FedRAMP accreditation is based on controls established by the National Institute for Standards and Technology. However, a number of other standards exist with overlapping controls, many of which have been created and are required by federal agencies.
One way to speed up the process would be to grant CSPs credit for standards they've already had certified.
4. Reduce Cost of Continuous Monitoring
The program office is already running a pilot to centralize the work of continuously monitoring CSPs for compliance, however the report suggests going a few steps further.
The report recommends enabling certain CSPs and third party authorization organizations (3PAOs) to manage continuous monitoring, as well as shifting total responsibility to the Department of Homeland Security.
5. Empower Infrastructure Upgrades
A particular bottleneck exists for CSPs that provide infrastructure-as-a-service, as necessary upgrades are often halted while waiting for approval. The report offers a few options to ease this process, including establishing a set of "change management procedures."
6. Establish Defense Department Crosswalk
The Department of Defense has its own cloud security standards, though the guidance describes the requirements as FedRAMP-plus. (The FedRAMP PMO is also in the process of finalizing the high baseline controls, expected to roll out by March.)
The report asks the program office and DoD to coordinate and identify any gaps so CSPs can easily transition from one ATO to the next without having to restart the process.