As more government agencies pursue cloud-based services, the General Services Administration has gained new momentum in streamlining a key approval process for agencies to acquire software-as-a-service products.
FedRAMP Tailored, a relatively new approach for the Federal Risk and Authorization Management Program managed by GSA, is designed to help reduce the time and cost for vendors to demonstrate their cloud services meet federal security requirements.
According to Ashley Mahan, the program’s acting director, FedRAMP Tailored focuses on creating security baselines that fit simpler cloud services and that pose fewer risks compared to infrastructure- or platform-as-a-service products, which have been the focus of the traditional FedRAMP program.
Mahan goes into more detail about the benefits of FedRAMP Tailored in a new podcast, produced by FedScoop and underwritten by GitHub, which recently earned FedRAMP approval for its popular cloud-based collaboration platform for software developers.
The reality of cloud adoption practices is that “they are happening at different rates and for different use cases,” Mahan explains.
GSA was able to tailor the risk-management approach of security requirements for SaaS products to ensure that government agencies can make full use these technologies when it houses public, or non-sensitive, data. That translates into significant fewer artifacts that vendors must submit and maintain to obtain approval.
FedRAMP Tailored offers greater flexibility for SaaS providers, and makes it easier and less expensive to obtain federal security approval, says Jamie Jones, principal architect for GitHub, during the podcast.
In GitHub’s case, it means agencies can now securely move beyond an internally managed, enterprise-licensed software development platform offered by GitHub, to GitHub’s cloud-based platform, giving agencies access to a wider range of developers and software updates.
Jones highlighted three primary advantages for making that move. First, agencies can move all but the most sensitive data to the cloud and reduce demands for agency-run infrastructure. Second, GitHub Enterprise Cloud can now support agencies’ identification and authorization tools for seamless single sign-on. And finally, agencies can provision and deprovision users more easily, giving faster access to users.
“[Agencies] had been using GitHub, but it was mostly done for small projects or [outside] the official agency mission. Now with FedRAMP Tailored, we are seeing more requests for day-to-day workloads,” he says.
Mahan says that because FedRAMP Tailored focuses more on policies, procedures and training, rather than infrastructure, and can be more easily tailored to specialized services, it makes it much easier for vendors to develop the appropriate documentation and perform testing.
“I have seen vendors go through [the tailored process] in roughly four weeks, start to finish,” Mahan asserts.
Mahan says the response from agency CIOs has been mostly positive. The program is empowering them to focus on risk management and understand their mission’s unique cases and data types.
“Also, it strengthens partnership with industry and proved an incredible amount of transparency pertaining to [providers’] cloud environments,” Mahan says.
This podcast was produced by FedScoop and underwritten by GitHub.