Agencies continue to lose out on potential savings because the federal process for authorizing and continuously monitoring the security of cloud services remains lengthy, costly and inconsistent, according to the Information Technology & Innovation Foundation.
The Federal Risk and Authorization Management Program (FedRAMP) made “significant improvements” since it began in 2011, but more reforms are needed, ITIF says in a new report. Among the suggestions are the wider use of liaisons who find ways for agencies to save money on cloud services and the broader use of pilot programs that test ideas for overhauling FedRAMP.
Currently, the Joint Authorization Board reviews about three cloud service providers a quarter and agencies take an average of six to 12 months to issue authorities to operate (ATOs), a process costing companies more than $500,000 in hiring and product development. ITIF says agencies could reusing existing authorizations as one solution for avoiding that process, but more funding for improving the reviews is needed, too.
“FedRAMP still suffers from long timelines, high costs, and review processes that are inconsistent across federal agencies,” reads the report. “These issues have created artificial barriers to businesses offering their services to the federal government, thereby slowing agencies’ access to cloud services that increase their ability to serve the public while cutting costs.”
The General Services Administration, which houses the FedRAMP Program Management Office (PMO), recently launched the FedRAMP Agency Liaison Program to address these concerns. Agency liaisons, of which there are more than 30 as of June, will form a community to improve collaboration and knowledge sharing across government, Ashley Mahan, FedRAMP director, told FedScoop.
ITIF recommends the JAB and PMO require all agencies to appoint FedRAMP liaisons, who can promote reuse of existing authorizations. Their work already has saved agencies an estimated $285 million. The average number of agency reuses went from three in the first five years of FedRAMP to eight in 2019, but that number is still low, according to ITIF.
“The FedRAMP PMO looks for ways to continually improve the program and has launched several initiatives over the past year to address feedback received from the community,” Mahan said. “One of FedRAMP’s core value propositions is facilitating governmentwide reuse of security packages for cloud products.”
Fixing FedRAMP issues isn’t just the responsibility of the PMO, as agencies should be piloting ways to overhaul the program and Congress should pass legislation funding it and, in particular, more personnel to review cloud services, according to ITIF.
Reps. Gerry Connolly, D-Va., and Mark Meadows, R-N.C., introduced the FedRAMP Authorization Act of 2019, which would make “several positive improvements” and was passed by the House in February, the report notes.
The legislation would give $20 million a year to the JAB and PMO, increase reuse of authorizations by requiring agencies to use existing provisional ATOs and ATOs when possible, create a Federal Secure Cloud Advisory Committee for improving FedRAMP, and allow the PMO to explore automating authorizations and continuous monitoring.
In addition to Congress passing the bill, ITIF recommends:
- Expanding the JAB.
- Making agencies obtain exemptions if they refuse to reuse authorizations.
- Hiring technical experts within the PMO to develop automation tools.
- Requiring agencies to plan authorization improvements.
- Expanding performance metrics to include measures like the time it takes the JAB and agencies to authorize services.
- Providing authorization packages to the National Institute of Standards and Technology, so it can update baseline controls based on agency needs.
“Without the necessary changes and funding, the program risks helping, but also hindering, federal agencies to adopt cloud services,” the report says.