Agency chief information officers and the private sector are advocating for an automated, risk-based approach to cloud security assessments as Congress considers codifying the Federal Risk and Authorization Management Program.
The comments come as some cloud providers have complained that the security assessment process continues to take months, if not years, and cost them millions of dollars. The Office of Management and Budget established FedRAMP in 2011 to authorize and continuously monitor cloud service offerings across agencies. In recent years, FedRAMP officials have emphasized efforts to streamline how cloud services are evaluated.
“The most important thing we can do is drive additional automation into the assessment process,” said Jack Wilmer, deputy chief information officer for cybersecurity at the Department of Defense, testifying before the House Oversight Committee on Wednesday.
The Technology Transformation Services office within the General Services Administration plans to evaluate a risk-based approach to authorizations, said TTS Director Anil Cheriyan. Cloud services could be approved at different paces, depending on the security threats they might face.
For now, Cheriyan said, FedRAMP is making progress under its current methods. Initially it took GSA three years to authorize 40 projects, but in 2018 it authorized the same number — decreasing timelines almost 50 percent as FedRAMP grew to include 156 agencies, he said.
“I believe FedRAMP is turning a corner and is on the path to success,” Cheriyan said.
Efficiencies from P-ATOs
In an automated security assessment methodology, third parties could assess cloud providers in real time and produce cyber risk scores. The FedRAMP Joint Authorization Board could then issue Provisional Authorities to Operate (P-ATOs) — which allow the government to reuse previously evaluated cloud service offerings — based on those scores, said Joseph Klimavicz, deputy assistant attorney general and CIO at the Department of Justice.
Such a model would allow FedRAMP to evolve over time, said Jonathan Berroya, senior vice president and general counsel for the Internet Association.
“This may result in a compliance workflow that requires fewer intermediaries, less paperwork and faster processing,” Berroya said.
FedRAMP also fails to account for all federal security mandates, said Klimavicz, who would like to see an independent entity like the Federal CIO Council review P-ATOs to ensure they’re consistent with policy updates.
Rep. Gerry Connolly, D-Va., chairman of the Oversight Subcommittee on Government Operations, said he intends to reintroduce legislation codifying FedRAMP this session.
“Right now the problem is FedRAMP is potentially an orphan,” Connolly said. “It was created administratively; it can be eviscerated tomorrow morning.”