The Federal Risk and Authorization Management Program (FedRAMP) received over 60 responses from industry on its recent challenge aimed at helping speed up the program’s authorization process.
FedRAMP acting Director Ashley Mahan, speaking Oct. 2 at the VMware Public Sector Innovation Summit, referenced an ideation challenge solicited by the General Services Administration July 24 that sought help from industry in innovating the authorization process. Mahan said her organization, responsible for authorizing cloud-based tools for use in the federal government, is starting to go through the feedback.
“We’re taking that information, combing through it and we’re looking to see how can we automate … we’re looking at the whole end-to-end process here,” said Mahan. “There’s time that’s spent with cloud service providers preparing for the FedRAMP authorization, ensuring they’re implementing the security that we’re requiring.”
Mahan also said there’s time spent going through “traditional government authorization” and implementation of continuous monitoring.
“We’re looking to see where we can make things simpler, where can we provide clearer guidance and where can we automate,” Mahan said.
The FedRAMP process is notorious slow and rigorous. It is also a significant and costly barrier for smaller companies and start-ups to the government market. Both industry and government officials want an automated FedRAMP process to ease the challenges achieving authorization.
“We are known for our rigor,” Mahan said, adding that there are 1,200 individual test cases that assess cloud service providers cybersecurity. “We have to keep in mind that these cyberthreats are constantly evolving and so as organizations … we all have to be diligent in ensuring that we’re maintain the security posture to minimize risk.
In its ideation challenge announcement, GSA identified authorization challenges in the time the process took, cost, reciprocity and awareness.
“We’re committed to continuously improve and evolve as a program,” Mahan said.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.