Small businesses need lawmakers to ease barriers to product authorization through the Federal Risk and Authorization Management Program, according to industry and federal CIOs speaking before Congress.
FedRAMP is the entity charged with evaluating security and authorizing cloud products. During a House Subcommittee on Government Operations hearing on the program, CIOs noted challenges for small business in getting offerings approved, such as a lack of transparency with the length of the process and cost.
Or some don’t know it exists it all.
“A lot of small businesses are unaware of the process itself, the security requirements that we have,” said Anil Cheriyan, the director of technology transformation services at the General Services Administration.
It took 20 months for Virtru, a small data protection start-up, to get its product FedRAMP authorized for a federal agency to use, according to testimony from Virtru’s CTO Will Ackerly. From the beginning, he said, “it was also unclear upon entering the process how long it would take.” The process cost the company $1.6 million, he told lawmakers.
Entering the FedRAMP approval process can be a “high-risk decision for most small companies” because of the cost “when combined with unknown timelines,” he said.
Looking back, Ackerly said that if his company hadn’t received an agency sponsorship to go through the FedRAMP process, it may not have made it through.
Del. Eleanor Holmes Norton, D-D.C., said agencies may need to be given more reason to sponsor companies through the process.
“It looks like there needs to be incentives given for FedRAMP to encourage agencies to serve as sponsors for cloud providers,” Norton said.
Because of the amount of resources it takes to get approved, Congress needs to recognize that smaller companies take a long look at the process and are forced to decide whether it’s worth the investment, Rep. Gerry Connolly, D-Va., said.
“No small business can afford to risk millions of dollars and the uncertainty of no guarantee of when they’re going to be certified and that’s a huge problem for small and minority businesses,” Connolly said.
According to Cheriyan, 33 percent of FedRAMP’s current authorizations to operate are for small businesses, with another 33 percent in the pipeline. Connolly said during the hearing that 57 percent of agencies use the FedRAMP cloud security assessment and authorization framework.
Connolly and Rep. Mark Meadows, R-N.C., are working on legislation to reform the FedRAMP program, as well as officially write FedRAMP into law. A spokesperson for Connolly said the bill will be introduced “very imminently.”
Joseph Klimavicz, deputy assistant attorney general and chief information officer at the Department of Justice, said that small business wonder what security controls they most need to implement and which security impact level they should seek.
“They’ve asked for more information up front so they can make an investment decision and also how much is it going to cost to implement these controls,” Klimavicz said.
FedRAMP is also looking to increase automation in the approval process, which would improve the efficiency of security assessments — also beneficial to small businesses.
Jose Arrieta, CIO of the Department of Health and Human Services, said that any implementation in the process needs to include engagement with small businesses.
“That’ll actually help them plan to take advantage of the automation that you’re building,” Arrieta said. “That shouldn’t be ‘here’s what we’re thinking of building’ and then asking for their feedback. There should be a dialogue there that shapes what is built.”
Witnesses also called for FedRAMP to have additional resources. Jonathan Berroya, senior vice president and general counsel at the Internet Association, warned that a flood of cloud service solutions is coming and that the government has a high need to grant them approval to eliminate legacy systems.
“Many of these systems will be modernized using cloud services, which means dedicating adequate resources ... fund[ing] the FedRAMP program will become more essential to the cloud business ecosystem than ever before,” Berroya said.
Industry panelists also said that the creation of an industry advocacy body would be a beneficial step for companies both large and small. Lynn Martin, VP of government at VMware agreed, noting she’s gone through the FedRAMP process four times and “it changes and they make improvements [but] it still takes a long time.”
“The creation of a formal industry body to provide regular feedback about the FedRAMP process and how things are working … would be something that would go along way into insuring that throughout the process the voices of both large and small companies were taken into consideration,” Borreya said.
Arrieta said HHS has authorized 14 cloud service technologies and uses over 60 FedRAMP-approved cloud products, and the key to HHS’ success is the partnership between government and industry.
“If you want to include the small business community … you have to engage them as part of the solution,” Arrieta said.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.