Of all the impacts the Trump administration’s cybersecurity executive order is projected to have, staffing for the Federal Risk and Authorization Management Program may not immediately pop to the top of the list of crucial issues.
But Barry West, a senior adviser for risk management at the Department of Homeland Security, sees the order as a chance to potentially beef up FedRAMP’s Program Management Office, whose responsibilities include authorizing the cloud service providers that contract with agencies.
Speaking at the IT Modernization Conference @930gov on Sept. 6, West said that the order — which lays out the administration’s goals for cybersecurity and information technology modernization — would spur either the need for more FedRAMP personnel to handle the growing demand for CSP authorization or improvements on the same scale of the 2014 passage of the Federal Information Security Modernization Act.
“We shot ourselves in the foot, much like we did with FISMA all of those years of just creating a reporting drill,” he said. “I think this order, what it’s going to do is it’s going to show those gaps around the FedRAMP.”
Congress passed FISMA in an effort to establish continuous monitoring of agency networks after its 2002 predecessor, the Federal Information Security Management Act, required annual reviews of information security programs. The 2014 law also provided DHS with a larger role in establishing cybersecurity standards for federal government.
West, speaking at a session about the implementation of the May 11 cybersecurity executive order, responded to a question about whether the Program Management Office was understaffed to meet the demands of cloud providers seeking authorization. He said that while the program is doing great work, the demands on its authority to operate (ATO) process would likely require more resources.
“I think this order is going to show a lot of that gap from an IT modernization standpoint,” he said. “Things are going to have to change. They are either going to have to get the staff they need or we are going to have to look at the process, kind of like we did with FISMA. They did a lot of great work, but it got to a point where it just became a paper exercise. We’ll have to do the same thing, I think, with FedRAMP.”
FedRAMP recently celebrated its fifth anniversary, touting 89 authorized CSPs and $131 million in cost avoidances as a result of its ATO process. But the process has been criticized for the time it takes to get a CSP approved. In response, FedRAMP has developed a series of services to accelerate the process, including a developing project at 18F.
The May 11 executive order requires agencies to maintain “a modern, secure and more resilient executive branch IT architecture,” which includes shared services adoption of cloud computing. Cloud adoption for federal agencies is presumed to grow as efforts to upgrade federal IT.
The Department of Homeland Security is a member of FedRAMP’s Joint Authorization Board, the chief decision-making body for the program.