Major changes are coming in the way cloud service providers are certified to sell their products to the federal government, according to a blog post from the Federal Risk and Authorization Management Program, with the aim above all of speeding up the process.
“The fastest authorizations for FedRAMP have taken approximately six months,” wrote the program’s director Matt Goodrich Wednesday, referring to the coveted Authority to Operate, or ATO.
“We agree with you — that’s simply too long,” he added, saying he was responding to a chorus of opinions from providers, agencies and third parties.
Many companies that have gone through the FedRAMP process have complained about the months of wait time and hundreds of pages of documents that need to be assessed before they’re cleared for agency use.
FedRAMP, based in the General Services Administration, will be working to “focus more on capabilities and evidence up front, rather than documentation throughout,” wrote Goodrich.
On top of speeding up the authorization process, FedRAMP is working with digital services team 18F to create a public dashboard that will give greater transparency into where companies stand in the FedRAMP process. The new dashboard, which should be available this spring, will track which agencies are using FedRAMP, what services are available to agencies, what companies are authorized or going through the process of gaining an ATO. Goodrich also told FedScoop they are working with the White House’s Office of Management and Budget to determine whether the dashboard could eventually showcase how agencies have deployed cloud services across their enterprise.
FedRAMP is a security certification that agencies are mandated to get for cloud services, but some have cloud contracts that predate the requirement.
“We want to be able to highlight which agencies are incredibly active in FedRAMP and which ones are not,” Goodrich told FedScoop Thursday. “I think there is a lot of power behind public dashboards, and there are some agencies that have been at the forefront of adopting FedRAMP and there are some that have not. Whenever agencies are comparing themselves to other agencies, those that aren’t doing as well as others start to participate more.”
The office is also in the process of working with a select number of vendors on its high-impact security baseline, with expectations on finalizing those requirements by the end of the winter. The baseline, which has gone through different drafts over the past year, was developed after agencies like the departments of Justice and Homeland Security asked for ways to store in the cloud data with higher sensitivity levels.
Beyond policy changes, FedRAMP has also named a “FedRAMP evangelist,” who will work with agencies to find the right fit when it comes to certain cloud offerings. Ashley Mahan, who started with FedRAMP in October, will be in charge of an “agency roadshow over the next three months.” Mahan will meet with every federal agency to identify how they’re using FedRAMP and get a better understanding what types of CSPs they want to use.
The idea for a roadshow came from Goodrich’s time at OMB, where he was part of a team under then-CIO Vivek Kundra that worked to integrate the administration “cloud first” policy.
“It was really powerful to go out to all of the agencies and see what they were doing with responding to that policy when it first came out.
Goodrich wrote Wednesday these changes are just the beginning of a process that will become more iterative over time.
“We’d like FedRAMP to become as true of a partnership between the federal government and industry as possible— and we want the FedRAMP authorization process to clearly reflect this,” he wrote. “We need the continued engagement of both government and industry. So stay involved. We promise to continue to respond and iterate to ensure we’re meeting your needs.”
Contact the reporter on this story via email at firstname.lastname@example.org, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.