Matt Goodrich, the acting director of the General Service Administration’s Federal Risk and Authorization Management Program (FedRAMP), says his team will continue to refine ways for federal agencies to adopt cloud computing even as the majority of agencies have failed to adhere to the mandatory June compliance date.
Goodrich outlined the recent past and future of FedRAMP Wednesday at the National Institute of Standards and Technologies’ Information Security and Privacy Advisory Board open meeting. He estimated that of all federal agencies using cloud, only 25 to 40 percent of those cloud service providers are FedRAMP compliant. All federal agencies were supposed to have FedRAMP-compliant cloud by June 5.
When someone from the advisory board pressed Goodrich on why more agencies weren’t closer to meeting the deadline, he said that with the way the system is set up, his team can only do so much.
“As with any new IT initiative, no one is going to be 100 percent compliant the second there is a mandatory date,” Goodrich said. “There is not enough funding to meet every single IT policy that is out there for agencies to meet.”
With that in mind, Goodrich highlighted a new two-year roadmap for FedRAMP that will focus on three core efforts: increasing cloud adoption and compliance, improving efficiencies in the approval system and continuing to adapt to changing technology.
A key part of the changing technology is a focus on open source solutions. Goodrich says open source gives agencies a chance to adopt cloud much more quickly than before since security implementations and details aren’t proprietary.
“There’s obviously a big push within the administration to start using open source code and not having to pay for everything we do,” Goodrich said. “Open source code really has some great things that agencies can leverage.”
Agencies who do decide on open source could be giving FedRAMP some breathing room. Goodrich said that his Program Management Office’s and Joint Authorization Board’s workload is “50 percent over capacity,” currently working with 10 to 12 cloud service providers so they can earn Authority to Operate (ATO).
Another program Goodrich highlighted was FedRAMP Ready, which according to the cloud.cio.gov website “will “allow potential agency customers and authorizing officials a starting point to initiate an authorization.”
Goodrich says FedRAMP has already been working on FedRAMP Ready with a number of CSPs, including Dell Inc., International Business Machines Corp., Microsoft Corp. and Oracle Corp.
“What we were trying to demonstrate was providers had given us documentation that they were ready to initiate the assessment authorization, but no one has initiated that assessment with them,” Goodrich said Wednesday.
FedRAMP Ready is just one way Goodrich wants to speed up the process. According to him, it currently takes between 8-12 months for a CSPs to earn a Joint Authorization Board provisional ATO.
Goodrich’s remarks build on what former FedRAMP Director Maria Roat highlighted during a cloud computing convention earlier this year. Roat said FedRAMP would have “eight or nine initiatives over the next two years, including raising the security control baseline within the program.
“Now that the acceptance of the cloud has been happening [and] more and more agencies are embracing the cloud as a solution, I think the timing is right to really get that high baseline out there,” Roat said in July.