The General Services Administration has introduced a new category for its Federal Risk and Authorization Management Program to highlight cloud systems proven FedRAMP ready.
Dubbed “FedRAMP Ready” systems, the new category will “allow potential agency customers and authorizing officials a starting point to initiate an authorization,” according to the FedRAMP Cloud.cio.gov website. These cloud service providers (CSPs), to be featured on the FedRAMP website, differ from others in that they have been reviewed by the FedRAMP project management office (PMO), Matt Goodrich, acting FedRAMP director for GSA, said in a statement.
“As more and more cloud services enter the FedRAMP assessment process, FedRAMP is providing more information to help agencies and CSPs achieve a FedRAMP authorization faster,” Goodrich said. “FedRAMP Ready systems have documentation that has been reviewed by the FedRAMP PMO and at a minimum have gone through the FedRAMP PMO readiness review process.”
At publication, just four cloud systems were listed on the FedRAMP website with varying degrees of demonstrated readiness. The elements of readiness featured with them will give agencies a jumping off point for their cloud procurement process, Goodrich said. “Agencies can use this documentation to initiate an assessment and authorize these systems in a faster time than starting from scratch.”
Likewise, the more complete a provider is in conducting third-party assessments or providing FedRAMP documentation, the quicker agencies can navigate the assessment and authorization process, the website says.
The new FedRAMP category comes as agencies struggle to achieve FedRAMP compliancy. A recent report from the Council of the Inspectors General on Integrity and Efficiency surveying federal cloud efforts found that 59 of 77 of the systems observed didn’t meet the FedRAMP-compliant deadline of June 5.
Citing a similar study, Susan Palermo, senior vice president of emerging programs and services for Creative Computing Solutions Inc. (CCSi), said FedRAMP isn’t getting the agency focus it should.
“Although the federal government has established cloud computing as a priority through initiatives like cloud first, adoption has been relatively slow,” Palermo said. “A recent report from the Government Accountability Office found that agencies have only dedicated two percent or $529 million of their IT budgets to cloud spending. Security and acquisition processes were identified as the most significant barriers to cloud adoption identified in the report.”
But with FedRAMP Ready, Palermo said, agencies and vendors alike could get an easier start navigating FedRAMP and the federal cloud procurement process, especially if a provider is accredited by a third-party assessment organization (3PAO) like CCSi.
“Vendors that are 3PAO accredited will have a more robust profile on FedRAMP Ready, which will allow agencies to initiate an assessment and procure services more quickly,” she said. Those vendors lacking this accreditation with a PMO readiness review only, she notes, are on their way to being FedRAMP compliant, but not fully there yet.
FedRAMP Ready will also accommodate open source code that agencies can deploy for their cloud solutions. So far, there are no open source builds listed on the FedRAMP website.