The organization that authorizes cloud tools for federal agencies is working to establish a liaison who would work with civilian offices to improve understanding of the Federal Risk and Authorization Management Program (FedRAMP), a top GSA official said Feb. 21
“Where FedRAMP ... works really well in an agency is when there’s dedicated folks in the agency focused on getting through the process,” said Anil Cheriyan, director of GSA’s Technology Transformation Services.
FedRAMP has struggled in a few areas since its inception. Cloud service providers don’t like how long it takes to get approved for use by federal agencies, while agency officials don’t always understand what FedRAMP can do to help agencies.
The program allows agencies to reuse authorizations for different products in an effort to save the government money. However, Cheriyan said confusion persists at agencies about what can and cannot be reused.
“We’ve committed to raising the agency training by about 50 percent this year,” Cheriyan said at a Center for Cybersecurity Policy and Law event. “That’s a core area that the team’s been working on and, frankly, that’s going to help with clarification.”
Cheriyan also noted that between fiscal year 2018 and fiscal year 2019 FedRAMP saw a 50 percent increase in agency reuse of authorizations.
In connection with the event, the Center for Cybersecurity Policy and Law released a report Feb. 21 detailing three improvements that FedRAMP should make to improve its work, including the automation of the authorization process as a way to accelerate approvals. Cheriyan noted FedRAMP is already starting that work.
In December, FedRAMP announced it would use Open Security Controls Assessment Language to automate the authorization process, a standard developed with the National Institute of Standards and Technology that can be applied to implementing and assessing security controls.
As it stands, “It’s a really, very, very manual, painful process,” Cheriyan said. “Why does it take so long? It’s because it takes a lot of manual effort in terms of creating the reports necessary and [to] review the reports.”
Cheriyan also noted that FedRAMP approved about 60 new cloud providers last year, bringing the total to 175.
The report made two other recommendations. First, the authors suggested FedRAMP should consolidate and standardize the process for risk acceptance in the federal government. It also recommended that FedRAMP “enable the federal government to leverage the full scope of emerging innovation in the cloud computing and information technology markets.” For example, this could mean developing standard IT configurations across government and making selling to federal customers easier for cloud service providers by creating compliance pathways.
In response to the report, Cheriyan said “substantially, we’re in agreement with the report. We really want to see how we can implement a lot of the recommendations.”