Officials will unveil two big changes to the Federal Risk and Authorization Management Program Monday, aimed at drastically reducing the time it takes for cloud service providers to earn an authority to operate and begin selling to federal agencies.
Moving forward, cloud service providers who want to earn FedRAMP compliance will have to complete a capabilities assessment with a third-party assessment organization (3PAO) before the FedRAMP office considers them for the FedRAMP Ready list. Additionally, if a cloud service provider is to earn FedRAMP certification through the Joint Authorization Board, it must be considered FedRAMP Ready and have completed a full security authorization package with all testing finished.
In order to currently earn FedRAMP Ready status, cloud service providers fill out hundreds of pages of documents and turn them over to the FedRAMP office for vetting, which takes on average between three to nine months to complete.
Under the new plan, providers that want to become FedRAMP Ready will go through a stronger capability assessments that will be completed by a 3PAO in only only one to three weeks, instead of the months it currently takes.
Upon completion, that “mini assessment” will be examined by FedRAMP’s Program Management Office. If the PMO office likes what it sees, the provider should be declared FedRAMP ready within one week.
Goodrich told FedScoop the current documentation review “is not very powerful because you are just looking at documentation, you aren’t looking at the system.”
“We believe it will be much cheaper and faster for organizations to have a capability assessment done and provide it to the PMO, and we would be able to review that report and determine if someone is ready within a week,” he said. “We’re talking a process that’s taking all of this documentation and then delivering over to us, and providers can demonstrate their capabilities. Within a month, they can have that proven and up on our website.”
FedRAMP will also be changing the way cloud service providers earn an authority to operate from the Joint Authorization Board. In order to go through the JAB process, companies are required to have a FedRAMP Ready designation and have completed a full security authorization package with all testing finished. Since the process to earn a FedRAMP Ready designation has already been sped up, the JAB process should take no longer than three to six months.
The FedRAMP Ready designation will not be required for providers who are looking to earn an ATO through an agency. However, Goodrich tells us if a cloud provider isn’t prioritized immediately or appropriately for the JAB, it can turn to an agency where a “Ready” designation “will strengthen their ability to demonstrate their capabilities and find agency customers faster and cheaper.”
In order to accommodate these changes, Goodrich told FedScoop the CSP Supplied Packages Path — which involved CSP’s handing over a completed security assessment straight to the PMO for approval — will be ending. FedRAMP will be taking CSP Supplied Packages until April 29th, with CSP’s who pass it earning compliance for a year from that date.
“What we are going to be focusing on instead of the CSP Supplied Path is the new FedRAMP Ready,” Goodrich said. “That path can happen in probably 10 to 15 percent of the time it would take to a full CSP Supplied Package compliance, and would cost 10-15 percent of the amount as well.”
The cost is partly responsible for the change. Sources told FedScoop that the CSP Supplied Path is being phased out is due to some providers spending hundreds of thousands of dollars trying to rush through the process, only to find they weren’t close to meeting the right security requirements.
The changes to FedRAMP ready will be released in draft form on Monday, and open to public comment until April 29th. Goodrich said the goal is to have the new capabilities assessment procedure finalized within 2-3 months.
“If we can finalize that process in two months, that would still be faster than have someone enter the new process and have two months where we aren’t delivering anything for them,” he said. “It will still be faster than the current process we have. It makes sense for us to focus heavily on these capabilities assessments rather than continuing to do the documentations that aren’t as powerful as we would like them to be.”
The changes come as FedRAMP has spent the past few months reaching out to agencies, 3PAO and the CIOs involved in the JAB for ways to improve the much-criticized authorization process. While Goodrich says his office had some lofty goals of its own beforehand, the feedback proved the program should concentrate on speeding up the process instead of what Goodrich called “boiling the ocean.”
Goodrich told FedScoop the changes are more of an indication that FedRAMP is an evolving process and doesn’t need a complete overhaul.
“The process works,” Goodrich said “When we started this four years ago, FedRAMP worked then and it’s continuing to work now. That doesn’t mean we can’t make it faster and better. I don’t want there to be some perception that FedRAMP isn’t working. It is. We would just like it to work faster and scale more, so we went into this redesign process.”
You can watch the FedRAMP announcement via livestream at 8:30 a.m. Monday.
Contact the reporter on this story via email at firstname.lastname@example.org, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.